0

I have a working SSL Termination with STunnel in front of HAproxy.

Recently, the matter of adding support for HTTP/2 was thrown my way. That is easy with HAProxy, but, as a constraint, STunnel must stay.

The reason for STunnel needing to stay is about 17000 lines of SNIs and the possibility of managing those via an already in place API.

I could very well add a cert-list for HAProxy containing the SNIs, a couple of greps and echos will do the tick.

However, during my searches I haven't yet found anyone putting HAProxy in front of STunnel in front of HAProxy. Is that the wrong approach?

Here's what I already started working on (no SNIs in there yet - 17000 of them would be a bit too much for a post):

HAProxy frontend (where I need to add HTTP/2 support) with encryption towards STunnel:

listen frontend
bind 192.168.1.100:443 transparent  
mode http  
server stunnel 127.0.0.100:443 ssl verify none

STunnel

[STunnel]
    cert = /etc/ssl/certs/cert.pem
    ciphers =
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256
-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA
256:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-
RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-
RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
    accept = 127.0.0.100:443
    connect = 127.0.0.100:80
    delay = yes
    options = NO_SSLv3
    options = NO_TLSv1
    options = NO_TLSv1.1
    options = NO_TLSv1.3
    options = CIPHER_SERVER_PREFERENCE
    options = DONT_INSERT_EMPTY_FRAGMENTS
    renegotiation = no
    protocol = proxy
    local = 127.0.0.100
    TIMEOUTclose = 0

HAProxy "backend"

listen Web
    bind 127.0.0.100:80 transparent accept-proxy
    mode http
    balance leastconn
    acl SSL-443 src 127.0.0.100
    tcp-request connection expect-proxy layer4 if STunnel
    option http-keep-alive
    timeout http-request 5s
    timeout tunnel 1h
    option redispatch
    option abortonclose
    maxconn 40000
    option httplog
    server server1 192.168.1.98:80  check
    server server2 192.168.1.99:80  check

I assumed encryption is required from HAProxy to STunnel, and I would need to account for any protocol mismatches between those.

What the STunnel verion of HAProxy's tcp-request connection expect-proxy layer4 if STunnel would be?

Any help in getting HTTP/2 support with STunnel is greatly appreciated, as well as getting a "Don't do that, it's wrong".

Thank you,

Ai N.
  • 3
  • 2
  • I assume haproxy needs the SNIs (certificates) anyway, because it has to handle the contact to the client. How should this be done without the certificates? – Marco May 07 '22 at 09:43
  • If haproxy does not have the certificates, it can not see the content of the request and can not talk HTTP/2 with the client. You want to put the data unchanged to stunnel, but this means stunnel has to do HTTP/2 and you are at the beginning. Summary: will only work if hproxy has the certificates to decrypt ssl and encrypt it again to send it to stunnel. Could work, but might lead into a performance problem. – Marco May 07 '22 at 09:50
  • @Marco that was my thought as well. And it's not like I can use a wildcard or a dummy cert because of the SNIs that need to be in the "front"-frontend. Was hoping I could do a passthrough-offload hybrid config. Either way, I am now moving everything to HAProxy and doing the cert-list and updating it dynamically using this [link](https://www.haproxy.com/blog/dynamic-ssl-certificate-storage-in-haproxy/) – Ai N. May 07 '22 at 14:32
  • I would throw away stunnel and only use haproxy. Certificate handling in haproxy is quiet easy, just put them all in one directory. haproxy finds the one to use by itself. But I don't have 17000 in my environment. I think newer versions of haproxy detect changes and reload itself. Best, test it on a different port in parallel to your stunnel config. – Marco May 07 '22 at 14:38
  • @Marco I decided to shift it all to HAProxy, it makes sense (plus, I know of a few version where STunnel segfaulted). Can you please post your comment as an answer so I can accept it? Thank you very much. – Ai N. May 09 '22 at 19:53

1 Answers1

0

haproxy can only see the (HTTP/2 protocol) data if it has the certificates do decrypt the ssl. Means haproxy needs the same certificates available as stunnel.

If this would work in some way this would mean to decrypt it for haproxy and encrypt it again for stunnel, to let it decrypt again.

Marco
  • 316
  • 1
  • 6