I have a working SSL Termination with STunnel in front of HAproxy.
Recently, the matter of adding support for HTTP/2 was thrown my way.
That is easy with HAProxy, but, as a constraint, STunnel must stay.
The reason for STunnel needing to stay is about 17000 lines of SNIs and the possibility of managing those via an already in place API.
I could very well add a cert-list for HAProxy containing the SNIs, a couple of greps and echos will do the tick.
However, during my searches I haven't yet found anyone putting HAProxy in front of STunnel in front of HAProxy. Is that the wrong approach?
Here's what I already started working on (no SNIs in there yet – 17000 of them would be a bit too much for a post):
HAProxy frontend (where I need to add HTTP/2 support) with encryption towards STunnel:
listen frontend
bind 192.168.1.100:443 transparent
mode http
server stunnel 127.0.0.100:443 ssl verify none
STunnel
[STunnel]
cert = /etc/ssl/certs/cert.pem
ciphers =
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256
-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA
256:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-
RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-
RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
accept = 127.0.0.100:443
connect = 127.0.0.100:80
delay = yes
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
options = NO_TLSv1.3
options = CIPHER_SERVER_PREFERENCE
options = DONT_INSERT_EMPTY_FRAGMENTS
renegotiation = no
protocol = proxy
local = 127.0.0.100
TIMEOUTclose = 0
HAProxy "backend"
listen Web
bind 127.0.0.100:80 transparent accept-proxy
mode http
balance leastconn
acl SSL-443 src 127.0.0.100
tcp-request connection expect-proxy layer4 if STunnel
option http-keep-alive
timeout http-request 5s
timeout tunnel 1h
option redispatch
option abortonclose
maxconn 40000
option httplog
server server1 192.168.1.98:80 check
server server2 192.168.1.99:80 check
I assumed encryption is required from HAProxy to STunnel, and I would need to account for any protocol mismatches between those.
What the STunnel verion of HAProxy's tcp-request connection expect-proxy layer4 if STunnel would be?
Any help in getting HTTP/2 support with STunnel is greatly appreciated, as well as getting a "Don't do that, it's wrong".
Thank you,
Best Answer
haproxy
can only see the (HTTP/2 protocol) data if it has the certificates do decrypt the ssl. Meanshaproxy
needs the same certificates available asstunnel
.If this would work in some way this would mean to decrypt it for
haproxy
and encrypt it again forstunnel
, to let it decrypt again.