SharePoint – HAProxy Reverse-Proxy SSL Issue

debian-stretchhaproxyreverse-proxysharepointssl

UPDATE BELOW

________________

I decided to use HAProxy as reverse-proxy for SharePoint sites and without SSL everything works fine, but with SSL I can't start haproxy.service.
I was trying with many configurations, but I can't figure it out…

Trying to start service:

$ sudo systemctl start haproxy.service
Job for haproxy.service failed because the control process exited with error code.
See "systemctl status haproxy.service" and "journalctl -xe" for details.

Status of the haproxy.service:

$ sudo systemctl status haproxy.service
     haproxy.service - HAProxy Load Balancer
       Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)
       Active: failed (Result: exit-code) since date CEST;
         Docs: man:haproxy(1)
               file:/usr/share/doc/haproxy/configuration.txt.gz
      Process: ExecStart=/usr/sbin/haproxy-systemd-wrapper -f $CONFIG -p $PIDFILE $EXTRAOPTS (code=exited, status=0/SUCCESS)
      Process: ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=1/FAILURE)
     Main PID: (code=exited, status=0/SUCCESS)
 systemd[1]: haproxy.service: Failed with result 'exit-code'.
 systemd[1]: haproxy.service: Service hold-off time over, scheduling restart.
 systemd[1]: Stopped HAProxy Load Balancer.
 systemd[1]: haproxy.service: Start request repeated too quickly.
 systemd[1]: Failed to start HAProxy Load Balancer.
 systemd[1]: haproxy.service: Unit entered failed state.
 systemd[1]: haproxy.service: Failed with result 'exit-code'.
 systemd[1]: haproxy.service: Start request repeated too quickly.
 systemd[1]: Failed to start HAProxy Load Balancer.
 systemd[1]: haproxy.service: Failed with result 'exit-code'.

Checking configuration file issues:

$ sudo haproxy -c -f haproxy.cfg
    Enter PEM pass phrase:
    [ALERT]: parsing [haproxy.cfg:31] : 'bind *:443' : unable to load SSL private key from PEM file './cert.pem'.
    [ALERT]: Error(s) found in configuration file : haproxy.cfg
    [ALERT]: Proxy 'http_id': no SSL certificate specified for bind '*:443' at [haproxy.cfg:31] (use 'crt').    
    [ALERT]: Fatal errors found in configuration.

HAProxy -vv:

$ sudo haproxy -vv
HA-Proxy version 1.7.5-2

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.1.0e
Running on OpenSSL version : OpenSSL 1.1.0f
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.39
Running on PCRE version : 8.39
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with network namespace support

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [COMP] compression
        [TRACE] trace
        [SPOE] spoe

Logs:

 haproxy: [ALERT]: parsing [/etc/haproxy/haproxy.cfg:31] : 'bind *:443' : unable to load SSL certificate file './cert.pem' file does not exist.
 haproxy: [ALERT]: Error(s) found in configuration file : /etc/haproxy/.cfg
 haproxy: [ALERT]: Proxy 'http_id': no SSL certificate specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:31] (use 'crt').
 haproxy: [ALERT]: Fatal errors found in configuration.

I'm using the same certificate (but divided: certificate, key, chain) for nginx on another server and It works.
I created this one for HAProxy with cat cert.crt priv.key certchain.crt > cert.pem command and I tried in different orders, but error is the same. Also with command haproxy -c -f haproxy.cfg server is asking about pass phrase so I think that the certificate is okay (maybe I'm wrong) and something's wrong with the configuration file.
Thank you for your time and help.

My haproxy.cfg:

    global    
        tune.ssl.default-dh-param 2048
        maxconn 4096
        user haproxy
        group haproxy
        daemon
        #ssl-server-verify none
    
    defaults
        mode http
        option forwardfor
        log 127.0.0.1 local0 notice
        maxconn 2000
        option httplog
        option dontlognull
        timeout connect 5000
        timeout client 50000
        timeout server 50000
            
    backend sharepoint
        mode http
        #balance roundrobin
        option redispatch
        cookie SERVERID insert nocache
        server spsrv xxx.xxx.xxx.xxx:80
            
    frontend http_id
        #bind *:80
        bind *:443 ssl crt ./cert.pem
        mode http
        reqadd X-Forwarded-Proto:\ https
        acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com:443
        use_backend sharepoint if hosts_sharepoint
        default_backend sharepoint

FIRST UPDATE

I tried with pass-through and now SharePoint is asking for credentials (after disabling IIS role) on port 80 and then SharePoint is redirecting to https with error "504 Gateway Time-out". This is my current haproxy.cfg:

global
    maxconn 4096
    user haproxy
    group haproxy
    daemon
defaults
    mode tcp
    log 127.0.0.1 local0 notice
    maxconn 2000
    option tcplog
    option dontlognull
    timeout connect 20s
    timeout client 10m
    timeout server 10m
frontend httpid
    mode tcp
    bind *:443
    acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com
    use_backend sharepoint if hosts_sharepoint
    default_backend sharepoint
backend sharepoint
    mode tcp
    balance roundrobin
    option redispatch
    cookie SERVERID insert indirect nocache
    server st1 xxx.xxx.xxx.xxx:443
    option ssl-hello-chk

Also command:
$ curl xxx.xxx.xxx.xxx:**80** --header 'Host: sharepoint.intranet.com' -vv returns 401 so the connection is working, but command with port 443 $ url xxx.xxx.xxx.xxx:**443** --header 'Host: sharepoint.intranet.com' -vv returns curl: (56) Recv failure: Connection reset by peer.
Is my configuration file correct? Or maybe I need to configure IIS?

SECOND UPDATE

After restart the SharePoint server this configuration is working with pass-through:

global
    maxconn 4096
    user haproxy
    group haproxy
    daemon
defaults
    mode tcp
    log 127.0.0.1 local0 notice
    maxconn 2000
    option tcplog
    option dontlognull
    timeout connect 20s
    timeout client 10m
    timeout server 10m
frontend httpid
    mode tcp
    bind *:443
    acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com
    use_backend sharepoint if hosts_sharepoint
    default_backend sharepoint
backend sharepoint
    mode tcp
    balance roundrobin
    option redispatch
    cookie SERVERID insert indirect nocache
    server st1 xxx.xxx.xxx.xxx:443
    option ssl-hello-chk

Best Answer

You should avoid using relative paths in config files like ./cert.pem. Please change into an absolute path like /etc/ssl/cert.pem (adjust to the current path).

Also, check the cert.pem file itself. It should contain only printable text (not binary) with at least two -----BEGIN CERTIFICATE-----, -----END CERTIFICATE----- blocks (your certificate and a CA from the chain) and a -----BEGIN PRIVATE KEY-----, -----END PRIVATE KEY----- block (or may be an -----BEGIN RSA PRIVATE KEY-----, -----END RSA PRIVATE KEY-----).

If there were any binary inside the cert.pem file, you should convert the original files (cert.crt, priv.key) to PEM format and recreate the cert.pem file again. Correct order for the concatenation should be final cert, key, immediate issuer, next issuer, etc. You can leave out the root CA as it is considered a good practice not to include it (no real need, less bytes exchanged).

You may convert from the binary format (aka DER) to a text format (aka PEM) using openssl:

For the certs (input.crt would be the DER file and output.crt would be the new file in PEM format):

openssl x509 -inform DER -in input.crt -out output.crt

For the key (I assume it is an RSA key, which is the most usual) NOTE: it will ask for a (new) password for the output.key, see my comments on this later.

openssl rsa -inform DER -in input.key -out output.key

NOTE: Most servers assume that the key is not ciphered (that is, the next line of the -----BEGIN PRIVATE KEY----- contains ENCRYPTED). If that was the case and your server would still not start, try converting the key to an unencrypted format (NOTE: in this command, I assume the inputcipher.key file is already in PEM format):

openssl rsa -in inputcipher.key -nodes -out outputclear.key

As for the pass-through with the 504 error, in the later config you are pointing to server st1 xxx.xxx.xxx.xxx:443 whereas in the intercept config you were pointing to server spsrv xxx.xxx.xxx.xxx:80. Please re-check whether your backend is listening on port 80 or on port 443, but it seems that there is no backend listening on 443.

UPDATE BELOW

FIRST UPDATE

SECOND UPDATE

Best Answer

Related Solutions

Ssl – HaProxy – Http and SSL pass through config

HAProxy – ssl client ca chain cannot be verified

Related Topic