0

My HAProxy SSL termination setup works exactly as expected for LAN clients, but if I use a WAN client (e.g. Tor Browser) I get a certificate error. Yet, they can bypass my 80->443 redirect and access my server on port 80 if I provide a firewall rule allowing access to port 80. How can I ensure WAN clients connect with HTTPS?

My front end is configured to use my wildcard certificate, *.example.com, with a rule which routes requests to the correct backend server. I also have a frontend redirect from port 80 to 443. The system work exactly as I expect for clients on my home network: when visiting subdomain.example.com in a browser:

  • all subdomain.example.com:80 requests are forwarded to subdomain.example.com443
  • HAproxy frontend performs SSL offloading
  • the client is connected to the backend server 192.168.1.50:80 via HTTPS as I expected.

However, when I try to connect to my subdomain from outside my local network, e.g. subdomain.example.com:443 using TOR browser, I receive a "Secure Connection Failed" message, with "Error code: SSL_ERROR_RX_RECORD_TOO_LONG".

If I create a firewall rule allowing access to port 192.168.1.50:80, I can change the Tor Browser to HTTP mode and then connect to my backend server in an unsecured way. But, I don't understand how this is possible. I expect at least that the http redirect I created in the HAProxy frontend would be respected.

How could an outside client can bypass my HAProxy front end redirect? I assume whatever is happening here is also related to the outside client not establishing a secure connection with my HAProxy front end.

rusticbison
  • 1
  • 1
  • Post your configuration and relevant haproxy logs of failed requests. Also this `192.168.1.50:80 via HTTPS` is very suspicious or just bad wording. – tbielaszewski Dec 04 '22 at 17:22
  • Thanks, I meant that the client uses port 443 and receives the certificate that is on my proxy, not on the server which is the intended destination of the client. The connection from the proxy to the destination server is unencrypted HTTP using port 80. – rusticbison Dec 04 '22 at 18:13

1 Answers1

0

I've solved my issue. Here is what I did:

  1. Create a virtual IP (Firewall --> Virtual IPs --> Add)\
  2. IP Alias --> WAN --> Single Address (I picked an address that wasn't in use, like 192.168.1.XXX)
  3. Saved with description "HAProxy Frontend Virtual IP"
  4. Opened port 443 in the Firewall, specifying access to 192.168.1.XXX
  5. Services --> HAProxy. Here I duplicated my front end, and under "Listen Address" I changed from "WAN" to 192.168.1.XXX (HAProxy Frontend Virtual IP)

Now I can access my server via a Tor connection (or any other external client) without issue.

I still don't understand exactly what was happening before and what is happening now. I assume there was some conflict since HAProxy was listening on the same address as pfSense (my WAN IP address).

rusticbison
  • 1
  • 1