Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/haproxy: deciphered SNI check not supported in ACL #1365

Closed
ad1rie1 opened this issue Jun 12, 2019 · 4 comments
Closed

net/haproxy: deciphered SNI check not supported in ACL #1365

ad1rie1 opened this issue Jun 12, 2019 · 4 comments
Assignees
@fraenki

Comments

@ad1rie1
Copy link

ad1rie1 commented Jun 12, 2019

Hello,
The sni based SNI not work as expected. the haproxy not read or ignore the SNI value.

Lets explain :) :

My client request to the HAProxy a webpage in HTTPS, in this request the SNI field is OK and set with with the servername:
image

In my condition of Haproxy setting, i have two condition defined :
image

In this condition i check the name of the server in SNI field :
image

But the condition is never trigered.

If i negate the condition, it's working fine and the reverse proxy works.

Why this condition not works ? how i can fix it ?

Version :
OPNsense 19.1.9-amd64
FreeBSD 11.2-RELEASE-p10-HBSD
OpenSSL 1.0.2s 28 May 2019

Extention :
Name | HAProxy
Version | 1.8.20
Release_date | 2019/04/25

Dear,
@ad1rie1
Copy link
Author

ad1rie1 commented Jun 12, 2019

The error in webpage is :
image

In the log i have that :

Jun 12 13:02:45 haproxy[13722]: 10.242.2.21:16103 [12/Jun/2019:13:02:45.402] Serveur_HTTPS~ Serveur_HTTPS/ -1/-1/-1/-1/0 503 212 - - SC-- 2/2/0/0/0 0/0 "GET / HTTP/1.1"

@ad1rie1
Copy link
Author

ad1rie1 commented Jun 12, 2019

i have find some problem similar to mine here :
https://discourse.haproxy.org/t/ssl-certificate-verify-on-specific-domain-with-sni/1635

@ad1rie1
Copy link
Author

ad1rie1 commented Jun 12, 2019
edited

When i edit the file haproxy.conf in /usr/local/etc/haproxy.conf
the configuration autogenerated with opensense and not working :
# ACL: LORA SNI
acl acl_5d00ecdce705f2.67510393 req.ssl_sni -m sub -i lora.versailles.fr
# ACL: SUPERVISION SNI
acl acl_5d00ed9601afc7.32643278 req.ssl_sni -m sub -i belier.versailles.fr

the modification for the haproxy working and tested :
# ACL: LORA SNI
acl acl_5d00ecdce705f2.67510393 ssl_fc_sni lora.versailles.fr
# ACL: SUPERVISION SNI
acl acl_5d00ed9601afc7.32643278 ssl_fc_sni belier.versailles.fr

fraenki added a commit to fraenki/plugins that referenced this issue Jul 14, 2019
@fraenki
net/haproxy: support deciphered SNI check, improve wording, closes op…
e08ddd2 
…nsense#1365
@fraenki
Copy link
Member

fraenki commented Jul 14, 2019

@ad1rie1 Thanks for your report.

So the essence of all this information is:

  • req.ssl_sni should be used for TCP content inspection, when the SSL connection is NOT locally deciphered
  • ssl_fc_sni should be used for SSL connections that are locally deciphered by HAProxy

I've added a new condition "SNI TLS extension matches (locally deciphered)" to support the latter. Furthermore I've improved the wording on the existing options to highlight the difference.

This will be available in the upcoming os-haproxy 2.17.

@fraenki fraenki closed this as completed Jul 14, 2019
@fraenki fraenki changed the title SNI based ACL not working HAPROXY net/haproxy: deciphered SNI check not supported in ACL Jul 14, 2019
@fraenki fraenki mentioned this issue Jul 14, 2019
Merged
@a-hahn a-hahn mentioned this issue Sep 10, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fraenki fraenki

Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fraenki @ad1rie1