HAProxy and Stunnel with SNIs – Is It Possible?

haproxyhttp2stunnel

I have a working SSL Termination with STunnel in front of HAproxy.

Recently, the matter of adding support for HTTP/2 was thrown my way.
That is easy with HAProxy, but, as a constraint, STunnel must stay.

The reason for STunnel needing to stay is about 17000 lines of SNIs and the possibility of managing those via an already in place API.

I could very well add a cert-list for HAProxy containing the SNIs, a couple of greps and echos will do the tick.

However, during my searches I haven't yet found anyone putting HAProxy in front of STunnel in front of HAProxy. Is that the wrong approach?

Here's what I already started working on (no SNIs in there yet – 17000 of them would be a bit too much for a post):

HAProxy frontend (where I need to add HTTP/2 support) with encryption towards STunnel:

listen frontend
bind 192.168.1.100:443 transparent  
mode http  
server stunnel 127.0.0.100:443 ssl verify none

STunnel

[STunnel]
    cert = /etc/ssl/certs/cert.pem
    ciphers =
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256
-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA
256:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-
RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-
RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
    accept = 127.0.0.100:443
    connect = 127.0.0.100:80
    delay = yes
    options = NO_SSLv3
    options = NO_TLSv1
    options = NO_TLSv1.1
    options = NO_TLSv1.3
    options = CIPHER_SERVER_PREFERENCE
    options = DONT_INSERT_EMPTY_FRAGMENTS
    renegotiation = no
    protocol = proxy
    local = 127.0.0.100
    TIMEOUTclose = 0

HAProxy "backend"

listen Web
    bind 127.0.0.100:80 transparent accept-proxy
    mode http
    balance leastconn
    acl SSL-443 src 127.0.0.100
    tcp-request connection expect-proxy layer4 if STunnel
    option http-keep-alive
    timeout http-request 5s
    timeout tunnel 1h
    option redispatch
    option abortonclose
    maxconn 40000
    option httplog
    server server1 192.168.1.98:80  check
    server server2 192.168.1.99:80  check

I assumed encryption is required from HAProxy to STunnel, and I would need to account for any protocol mismatches between those.

What the STunnel verion of HAProxy's tcp-request connection expect-proxy layer4 if STunnel would be?

Any help in getting HTTP/2 support with STunnel is greatly appreciated, as well as getting a "Don't do that, it's wrong".

Thank you,

Best Answer

haproxy can only see the (HTTP/2 protocol) data if it has the certificates do decrypt the ssl. Means haproxy needs the same certificates available as stunnel.

If this would work in some way this would mean to decrypt it for haproxy and encrypt it again for stunnel, to let it decrypt again.

Related Topic