0

I have a following goal: Running softhether vpn and web applications both on port 443. I want all traffic to come to haproxy, which sends vpn to one container, and the rest to another container (traefik), which finally redistributes to respective containers based on webapp. Aparently it is possible, but I am unable to get it to work.

Setup: 2 Virtual machines in XenServer (both Debian based and running docker)

VM1 addr 10.0.0.244

VM2 addr 10.0.0.245

VM1:

  • running haproxy container, using network mode "host" listening on port 443 (i.e. 10.0.0.245:443)

  • running softhether vpn server container, using network mode "host" listening on port 992 (i.e. 10.0.0.245:992)

VM2:

  • running traefik reverse proxy container, docker internal network, maps 443 of the host to local 443
  • running several web applications/containers, also on docker internal network, no maped ports from host, only exposed to internal docker network. Webapps are accessible via names like webappX.domain.com etc. through the traefik reverse proxy.

It is important to mention that if DNS points webappX.domain.com to 10.0.0.245 then traefic does its work and all webapps are accesible via browser. Also, when I try to connect to the softhether vpn from my mac to port 992, the connection is established (it was also working when I experimented with softether listening on port 443 and haproxy off). DNS record for vpn.domain.com points to 10.0.0.244.

After adding haproxy, I remapped DNS records for webappX.domain.com to 10.0.0.244.

Here is my haproxy config (I suspect here somewhere lies the problem):

defaults
  timeout client 30s
  timeout server 30s
  timeout connect 5s

frontend ft_https
  bind :443
  mode tcp
  tcp-request inspect-delay 5s
  tcp-request content accept if { req.ssl_hello_type 1 }
  default_backend bk_https

backend bk_https
  mode tcp
  acl vpn_app req_ssl_sni -i vpn.domain.com

  use-server server-se if vpn_app
  use-server server-traefik if !vpn_app

  option ssl-hello-chk
  server server-se localhost:992 check
  server server-traefik 10.0.0.245:443 check

One key requirement is that traefik must receive full URL (e.g. https://webappX.domain.com) so that it can properly do reverse proxying. Also SSL termination should not be happening at haproxy.

Do you have any advice/suggestion as what to change or try in order to get this working?

Thank you. Brandon.

BrandonSk
  • 1
  • 2

1 Answers1

0

Well, I had a partial success, since it started to work for webapps but the vpn would not. After trial and error and a lot of googling I found this post: https://discourse.haproxy.org/t/haproxy-not-switching-between-backends/1903/8

which suggest that if I use a wildcard certificate (which I do), then the SNI does not work as expected. So that's why webapps work (because every request actually goes to 1 server address which is traefik and it further splits the traffic), but I never get to reach the vpn server.

So the solution is to use custom certificates for each host (which I do not want to do) or not to have such setup. Unless there is another way, like a ha-proxy alternative... Any suggestions?

Cheers, Brandon.

BrandonSk
  • 1
  • 2