net/haproxy: site redirects fails with ERR_HTTP2_SERVER_REFUSED_STREAM with LibreSSL #2013
Comments
|
Found another one of my sites not working, all the log tells me is:
I just tried disabling HTTP/2 on HAProxy and I get further but then constant errors from the sites and messages like ERR_EMPTY_RESPONSE |
|
Can you try to revert and check if the error still persists?
|
Tried it, but it was the same - I restarted the HAProxy service to be sure but no difference. Do I need to reboot the firewall? |
|
It was bumped from 2.0.14 to 20.0.17, but also renamed to haproxy20, @fichtner opnsense-revert will not help here correct? |
|
I have no idea what the issue is, please wait for @fraenki to take a look |
|
A longshot but could it be related to: "honor sort order of all rules, remove special handling of use_[backend|server] options" from here: Take a look at the backend if you are using rules. |
Should I re-update to the latest os-haproxy to check this? I can't see anything regarding sort order. Here's what is set for one of the failing sites which is what was set before upgrading to 20.7.2:
I also spotted this at the bottom of each window:
|
|
Looking at your pictures it looks like the PRTG rule isn't used there. So I guess the rules are used in your frontend? Do you still see that error at the bottom if you go "re-update" to latest haproxy plugin? |
Yes
It goes when I upgrade again, and unfortunately does not fix the issue. |
Alright, so in that case I would stay at the updated version and then I would try to move the PRTG rule to the start before the maltrail rule. Do you get any warnings when you "Test syntax"? If it's still not working when prtg is first then at least you know it's not related to sort order. Btw, if all you do in rules are matching hostname to backend I really recommend using map files. |
Moved it, no change - I always run a syntax check, and no errors before I saved ie.
Map Files? |
|
I also notice, that even though I have detailed logging switched on for the front-send, I see nothing for these non-working sites - but I see plenty for the ones that do work. |
Hmmm. I guess you should take a look at the server logs for the backends that are not working in that case. (look at webserverlogs from the server hosting PRTG. Not HAProxy). I guess you could also try creating a new frontend with basic settings on another port, then put the PRTG backend behind that and test. Regarding map files, they make it easier to match many hostnames and backends in a single rule, also map files can be edited on the fly. HAProxy configs can be overwhelming as is, so map files really makes it less cluttered. With map files you only need one rule like: |
|
Yeah I've looked at the backend logs for PRTG and there's no sign of anything there, but if I'm not seeing even an attempt logged by HAProxy why would there be? Nothing on the firewall is showing anything. I do however see logging of direct connections to PRTG by my local desktop client, so the web service itself is working. Thanks, I'll consider the maps once this issue is fixed. |
|
More info. Was using the PRTG test tool to perform some raw HTTP calls when I noticed that following a restart of the HAProxy service, one connection to the server works, but then all subsequent attempts fail. l used the same command as my browser was trying to send which is the only thing logged by HAProxy:
|
|
@Taomyn Please paste your full haproxy.conf (as text, not as screenshot). When cloaking sensitive information, please don't modify the syntax so that we still have a valid test config. |
|
@fraenki as requested https://pastebin.com/j44jVMw7 |
|
Seems a couple more of my site redirects are experiencing the same issue. I'm hoping this is simply some poor configuration settings I've made over the years, |
Taomyn
changed the title
|
I just noticed while trying to narrow down a few parameters that if the HAProxy service is restarted after a change and I quickly attempt a connection, it will give me a partial page mostly badly formatted, but then a refresh and I'm back with the refusal error. The HAProxy log does show some extra connections: |
|
You may already know it, but we discovered that the problem disappears after switching the box to the OpenSSL flavour. It might be LibreSSL-related. |
No, I had no idea but wow, it's almost like LibreSSL is trying to force me to switch to OpenSSL - I was considering it a week or so ago in order to get support for server TLS1.3 I'll see when I get home if I have time to try this out, but any idea if it's something that could get fixed for LibreSSL soon? |
|
I'm having the same issue, I just finished switching over to openssl and I'm going to test. In my case, most of my services were working, it was opnsense I couldn't reach. My default webgui port is 8443 and I use haproxy to serve opnsense based on hostname rules. I was getting Update/reboot is finished, everything seems to be working as expected so far. |
|
Thanks @actual-nsnow - I still have not had the time to switch my installation back to OpenSSL, hopefully this week, but I'm now wondering if it's also the cause of a mysterious issue I also have with the Let's Encrypt plug-in that also started when I upgraded to 20.7.x |
|
I finally got around to switching from LibreSSL to OpenSSL then rebooted for good measure, and can report that from internal all the sites that were failing to work are now all fine again. I did first try upgrading to 20.7.3 but that itself made no difference. |
|
I am having the same issue. System: OPNsense 20.7-amd64FreeBSD 12.1-RELEASE-p7-HBSDLibreSSL 3.0.2 Once I upgrade to 20.7.3 my HAProxy redirects stop working. EDIT:
I also noticed the same behaviour. After restarting HAProxy I can connect to my services for about 5 seconds, but then the connections are refused again. |
|
So I recommend switching to the OpenSSL flavour if you hit this issue. There's nothing else I can do about it. |
|
I will just stick with 20.7 until the issue is resolved. |
|
HAProxy 2.0.18 was released today and contains minor SSL fixes, not sure if this will improve the situation with LibreSSL: |
|
https://opnsense.org/opnsense-20-7-4-released/ Did anyone test if OPNsense 20.7.4 with the latest HAProxy solves the issue? |
fraenki
changed the title
|
I managed to take that machine off for a few hours. Here are the errors from a syntax test. I think it is clearly due to the fact that LibreSSL variant of OPNsense still doesn't support TLS v1.3 but the latest version of HAProxy does and makes use of it or at least tries with LibreSSL. I also found this forum post with an approximate ETA for the LibreSSL variant of OPNsense with support for TLS v1.3. |
|
LibreSSL 3.2 has TLSv1.3 support but not the OpenSSL 1.1.1 API parts which might make upstream assume it's not working/refrain from implementing it (properly). So far LibreSSL 3.2 has some minor quirks to sort out in a subsequent stable release for them as well before we can move OPNsense to this version (likely in 1.5 months in preparation for 21.1). So currently we have 3 moving targets/parties involved and this will not resolve instantly for this reason. :) |
|
Rebuilding a opnsense box on the latest version and imported my haproxy config. It fails to start. I'm also getting the issue that @browne-net reported. Changing from LibreSSL to OpenSSL appears to fix it. |
|
Some additional logging that was a warning on the dashboard. |
|
Did someone test if the bug is resolved on OPNsense 21.1-RC1 which just got released? I am currently unable to take my machine offline for testing. |
|
Landed here while upgrading to 21.1, so the problem still exists. |
|
There was a larger drop of compatibility fixes in OpenBSD 6.8 but no LibreSSL 3.2.4 in sight... https://ftp.openbsd.org/pub/OpenBSD/patches/6.8/common/013_libressl.patch.sig |
|
This issue has been automatically timed-out (after 180 days of inactivity). For more information about the policies for this repository, If someone wants to step up and work on this issue, |
|
The last update had some haproxy changes, but I haven't tested if LibreSSL works or not. Still and issue? We should keep this open if it is. |
|
We have no resources to track cross-upstream issues between LibreSSL and HAProxy. So either we close or we keep it open forever. The result is the same so we might as well close it. |
|
Understandable - but if anyone does test this and verify it works, please post. Would be great to be notified so I can return to LibreSSL. :) |
|
I just tried it and LibreSSL is still not working with HAProxy. |
I've added a workaround, so the incompatible "ciphersuites" options will be ignored when LibreSSL is used. It will not solve other compatibility issues with LibreSSL, but HAProxy should startup again: The upcoming os-haproxy 3.2 will include this workaround, but don't be too optimistic for fixes beyond this, it's an upstream issue as already stated. You'll most likely have to make other configuration changes like replacing incompatible ciphers, disabling HTTP/2 and/or TLSv1.3 when using LibreSSL. |
Describe the bug
Since upgrading OPNsense to v20.7.2 many of my HAProxy site redirects fails with "ERR_HTTP2_SERVER_REFUSED_STREAM" when I try to access it - they all seem to be SSL backend servers.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Normal access to site
Relevant log files
Cannot find anything logged on the issue
Additional context
The site in question is my PRTG instance, running on HTTPS port 8081 - if I directly connect to this it works fine, as does the PRTG desktop app that connects directly on my PC. However the PRTG app on my phone which uses the HAProxy redirect has the same connection problem.
The settings does include enabling HTTP2 but I tried disabling this and the same thing occurs.
Environment
OPNsense 20.7.2-amd64
FreeBSD 12.1-RELEASE-p8-HBSD
LibreSSL 3.1.4
os-haproxy (installed) 2.24
The text was updated successfully, but these errors were encountered: