0

I have 2 websites, websitea.com and websiteb.com, these are hosted on two servers 10.0.0.8 and 10.0.0.12 for load balancer and I try to made it work with both HTTP,HTTPS protocol with this config.

HTTPS is working fine for https://websitea.com, but https://websiteb.com always redirect to https://websitea.com even I do not config redirect anywhere. Please point me where I wrong and what should I do for fix this.

global
    ...
    tune.ssl.default-dh-param 2048

defaults
    ....

listen stats :4444
    ...

frontend http-web
    bind *:80
    default_backend     http-in

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend http-in
    redirect scheme https if !{ ssl_fc }
    cookie      SERVERID insert indirect nocache
    option      forwardfor header X-Real-IP
    option      http-server-close
    option      httplog
    balance     roundrobin
    server      web01 10.0.0.8:80 check
    server      web02 10.0.0.12:80 check

frontend https-web
    bind *:443 ssl crt /etc/haproxy/ssl/websitea.pem crt /etc/haproxy/ssl/websiteb.pem
    mode http
    default_backend https-in

backend https-in
    mode http
    balance roundrobin
    stick-table type ip size 200k expire 30m
    stick on src
    default-server inter 1s
    server  web01 10.0.0.8:443 check ssl verify none
    server  web02 10.0.0.12:443 check ssl verify none

websitea.conf

This is my NGINX websitea.conf for server 10.0.0.8. In server 10.0.0.12 the main difference is IP Address only.

server {
        listen   10.0.0.8:443 ssl http2;

        server_name websitea.com;

        # SSL
        ssl_certificate /etc/nginx/ssl/websitea-bundle-full.crt;
        ssl_certificate_key /etc/nginx/ssl/websitea-private.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

        # Improve HTTPS performance with session resumption
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;

        # DH parameters
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        # Enable HSTS
        add_header Strict-Transport-Security "max-age=31536000" always;    


        access_log /var/log/nginx/websitea.access.log main_ext;
        error_log /var/log/nginx/websitea.errors.log warn;

        ....
    }

websiteb.conf

server {
        listen   10.0.0.8:443 ssl http2;

        server_name websiteb.com;

        # SSL
        ssl_certificate /etc/nginx/ssl/websiteb-bundle-full.crt;
        ssl_certificate_key /etc/nginx/ssl/websiteb-private.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

        # Improve HTTPS performance with session resumption
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;

        # DH parameters
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        # Enable HSTS
        add_header Strict-Transport-Security "max-age=31536000" always;    


        access_log /var/log/nginx/websitea.access.log main_ext;
        error_log /var/log/nginx/websitea.errors.log warn;

        ....
    }
Viet Nguyen
  • 133
  • 8
  • Are nginx and haproxy running on the same host ? – drookie Dec 06 '18 at 17:18
  • You are forcing https in http backend so it would never reach server via http frontend / backend... you can do it directly in frontend or have common frontend with both bind and redirect condition ````redirect scheme https if !{ ssl_fc }````. The "wrong" redirection is recognized by the content or just cert? – Kamil J Dec 06 '18 at 23:54
  • @drookie No, they are running in different server. – Viet Nguyen Dec 07 '18 at 01:11
  • @KamilJ Can you give more detail? – Viet Nguyen Dec 07 '18 at 01:12

2 Answers2

0

For the redirection related to websiteb => websitea I don't see really the reason. Please check:

  • correct certifite : is really content wrong or just certificate? If only certificate check the haproxy log related to loading the certs and also directly certs - CN, SubjectAlternativeName, Validity ; and also permission on the file with the cert

  • content : If the content is wrong I would expect that the redirection is come from backend / server. In that case please check the nginx config (in the question it is reduced) as I guess the redirection is not realized by haproxy.

As I have wrote already in the comment there is a space for make it a little bit smaller with the same behaviour. Especially redirect scheme https if !{ ssl_fc } causing the redirection from http to https (to be exact it says redirect to https in case it is not secured / not https - SSL or TLS). As you are doing it in backend for http, there is not needed "jump" to backend as this can be done directly in frontend.

Next to it you can have one frontend with more bind options so you can have one frontend where you make definition and also force https. I didn't check all your options and reason why you have used there I have just "tuned" necessary stuff to have it combined:

  • in one frontend both http/https

    bind :*80
bind *:443 ssl crt /etc/hapr...

  • to load all certificate from the selected folder (you don't need to list all certs)

    ... ssl crt /etc/haproxy/ssl/ ...

  • have it at least little bit secure (once it is publicky available you can check setting using ssllabs webpage)

    ... no-sslv3 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

  • to force all traffic to be secured

    redirect scheme https if !{ ssl_fc }

Your config with necessary changes may be:

global
    ...
    tune.ssl.default-dh-param 2048

defaults
    ....

listen stats :4444
    ...

frontend web
    mode http
    bind *:80
    bind *:443 ssl crt /etc/haproxy/ssl/ no-sslv3 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    redirect scheme https if !{ ssl_fc }
    default_backend https-in

backend https-in
    mode http
    balance roundrobin
    stick-table type ip size 200k expire 30m
    stick on src
    default-server inter 1s
    server  web01 10.0.0.8:443 check ssl verify none
    server  web02 10.0.0.12:443 check ssl verify none

No other frontend or backend is needed.

Kamil J
  • 1,632
  • 1
  • 5
  • 10
  • Thanks for your great answer and your useful information but the issue I face now is: WEBSITEB always redirect to WEBSITEA and I don't want this. – Viet Nguyen Dec 07 '18 at 15:12
  • My certificate is correct and works very well. I remove every redirect part in Nginx already – Viet Nguyen Dec 07 '18 at 15:14
  • Ok and are you sure the redirection is done on haproxy side? As I have mentioned haproxy seems ok for me. The redirection is the most probably caused on nginx side. Check it there. – Kamil J Dec 07 '18 at 15:14
  • Ok, in that case try in private browsing mode. In case there were 301 (permanent redirect) it can be cached on browser side. Private browsing mode may be enough - to not clear a cache ;) – Kamil J Dec 07 '18 at 15:29
  • I always use private browsing mode and try browser on various computer but same. I don't really know where the problem is, Haproxy or Nginx damn... – Viet Nguyen Dec 07 '18 at 15:31
  • 1
    on ha proxy there is nothing what can cause it... As you have reduce the config for nginx it is hard to help... Anyway one note. Once you check the websiteb, there is log file pointing to the same filename as website a : ````websitea.access.log```` and ````websitea.errors.log````. It seems you have just copy the config and (not fully) replace the hostname. Double / triple check the config for ````websiteb.conf````. There will be something ;). – Kamil J Dec 07 '18 at 17:50
  • Solved, the main problem is I define cert twice in a row. Certificate should not be defined in Nginx config while it already exists in Haproxy config. – Viet Nguyen Dec 08 '18 at 13:47
0

Solved, the main problem is I define cert twice in a row. Certificate should not be defined in Nginx config while it already exists in Haproxy config.

Viet Nguyen
  • 133
  • 8