1

I'm using a MikroTik router with SSTP, and I have a Fedora server running httpd with HTTP and HTTPS, but I only have a single IPv4 address from my ISP.

I currently have SSTP working on port 444, but I need to move it to port 443 to bypass the Great Firewall (recently the Chinese government started blocking PPTP so I want to hide fully on port 443).

I have found documents about SNI load balancing for HAproxy but I haven't got it working yet e.g. https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/

Here is my setup (edited 5th July 2018 22:20 CET)

frontend  main 192.168.0.3:443 ssl ca-cert /etc/pki/tls/certs/sstp.crt
    use_backend sstp if { ssl_fc_sni sstp.mydoamin.com }
    use_backend websites if { ssl_fc_sni www.mydomain.com }
    default_backend             websites

backend websites
    mode        tcp
    balance     roundrobin
    server      www 127.0.0.1:443 check
backend sstp
    mode        tcp
    balance     roundrobin
    server      router 192.168.0.1:444 ca-cert /etc/pki/tls/certs/sstp.crt

After editing the backend to include ca-cert I can get sstp to connect when I change the default_backend to sstp

haproxy -d doesn't give me much debug info. I'm not familiar enough with the syntax to get SNI working, but I'm making progress ...

Just tried the exact syntax from the example, and that doesn't work either

frontend  main 192.168.0.3:443 ssl ca-cert /etc/pki/tls/certs/sstp.crt
    use_backend sstp if { ssl_fc_sni sstp.example.com }
    acl application_1 req_ssl_sni -i sstp.example.com
    use_backend sstp if application_1
    default_backend             websites
banjo67xxx
  • 600
  • 4
  • 7
  • Check the log to see what HAProxy is logging on these connection attempts. I suspect a TLS error. I think you have a misunderstanding of what SSTP will be able to work with, on your front-end, which is currently configured to *terminate* the TLS session inside HAProxy, and forward the payload in the clear to the back-end, which does not seem likely to be a valid setup for SSTP... and in this configuration, until HAProxy successfully negotiates TLS with the client, it would correctly be expected **not** to open a connection to the back-end. – Michael - sqlbot Jul 01 '18 at 22:04
  • 3
    I believe you will need [`req.ssl_sni`](http://cbonte.github.io/haproxy-dconv/1.6/configuration.html#7.3.5-req.ssl_sni) and all of your HTTPS connections will need to loop through the proxy, twice, because you're looking for two very different behaviors on a single front-end, sometimes with the proxy offloading TLS and other times not. If leaving the router as your default backend and temporarily removing the `ssl` config from your `bind` line causes SSTP to work as expected, then that should confirm what I suspect to be the case. Can you confirm that? – Michael - sqlbot Jul 01 '18 at 22:15
  • Got sstp working by using ca-cert on the backend. Can you please help me with the syntax for the req.ssl_sni which you describe? – banjo67xxx Jul 05 '18 at 20:34

1 Answers1

0

Finally cracked it. This is the solution:

frontend  main 192.168.0.3:443 ssl
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }
    use_backend websites if { req_ssl_sni -m found }
    default_backend             sstp

The only problem here is that using the public IP doesn't work.

Edited 6th July 2018 13:00 CET to change the req_ssl_sni from matching my domainnames to checking simply for the presence of SNI

Documentation for the logic (aka access control list) is found here https://www.haproxy.com/de/documentation/hapee/1-7r1/traffic-management/acls/

Community
  • 1
banjo67xxx
  • 600
  • 4
  • 7
  • I've done a tcpdump to examine the TLS Handshake "Hello client" and I see some differences between SSTP and HTTPS that I could exploit if I knew the syntax of haproxy.cfg better. – banjo67xxx Jul 06 '18 at 07:19