haproxy 1.7 redirect and rejecting some IPs

Question

To redirect several subdomains on the same IP to different hosts, I'm using haproxy (1.7.5, Debian stable) and it works fine. However I also want to restrict access to some hosts by IP and display a clean message (proper 403 error page) to rejected hosts, and that's where I can't find a solution.

The best I have so far is a configuration that use a "reject" backend; however I don't know how to configure this one to get anything but SSL Errors from the browser end.

The configuration looks like that:

frontend http_redirect
    bind *:80
    redirect scheme https if !{ ssl_fc }

frontend tls_router
    bind *:443
    mode tcp
    option tcplog
    option tcpka

    acl demo_acl req_ssl_sni -i demo.myhost.org
    acl www_acl req_ssl_sni -i www.myhost.org
    acl demo_network_allowed src 10.1.1.0/24

    use_backend demo_tls if demo_acl
    use_backend wwww_tls if www_acl
    use_backend reject_access if demo_acl !demo_network_allowed

backend www_tls
    mode tcp
    option tcpka
    server www_srv 192.168.1.2:443

backend demo_tls
    mode tcp
    option tcpka
    server demo_srv 192.168.1.3:443

backend reject_access
    mode http
    # errorfile 403 /etc/haproxy/errors/403.http
    # server demo  192.168.1.2:443
    http-request set-path www.myhost.org/403.html
    http-request redirect scheme https if ! { ssl_fc }

As is clear from the "reject_access" backend, I tried several things with the same result:

$ LANG=C wget  --no-check-certificate -S https://demo.myhost.org
--2019-07-01 18:48:31--  https://demo.host.org/
Résolution de demo.myhost.org? 10.12.24.1
Connexion à demo.myhost.org|10.12.24.1|:443? connecté.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Incapable d'établir une connexion SSL.

Any help in this configuration welcome.

dario · Accepted Answer · 2019-07-03T07:22:01.400

2

You can't change url for ssl request in tcp mode. You have to terminate ssl in haproxy

Error says it can't make ssl connection. Reject backend makes http request to 443

Edit, example of SSL termination

frontend https443
        bind *:443 ssl crt someWildacrd.pem
        #http-request set-log-level silent

        #SSL is terminated, we can see URL path
        acl restricted_page path_beg,url_dec -i /admin
        http-request deny if restricted_page

        default_backend b_http

edited Jul 03 '19 at 07:22

answered Jul 01 '19 at 19:49

dario

131
4

That I understood... However I redirect all http traffic to https, so... – wazoox Jul 01 '19 at 21:24
Frontend is in tcp mode, it doesn't terminate ssl (bind...ssl cert...) – dario Jul 02 '19 at 14:26
Is it possible to configure the frontend in http mode in SSL configuration? From what I understood, I must use tcp... or it could work if I use a wildcard ssl cert for the haproxy maybe? – wazoox Jul 02 '19 at 15:38
In tcp mode you can use SNI to route connections to backend servers, as you are doing now. In tcp mode you can change client request to some other URL. You can configure it instead in http mode and do SSL termination. You can have wildcard cert or multiple certs. When you terminate SSL then you can rewrite URLs. I'll append example to answer – dario Jul 03 '19 at 07:15

haproxy 1.7 redirect and rejecting some IPs

1 Answers1