Article Image

As I've started to containerize, certain webapps of mine utilize SSL for secure communication. Hence, I usually combine everything the resulting webapp needs to serve the app using SSL, including certificates and keys.

HAProxy provides the ability to pass-through SSL via using tcp proxy mode. This is awesome, except you can forget about serving multiple domains/vhosts in this basic configuration. However, SNI to the rescue!

From the HAProxy blog, there is indeed a way for HAProxy to inspect the SSL negotiation and find the hostname, sent via the client through SNI:

SNI addresses this issue by having the client send the name of the virtual domain as part of the TLS negotiation

Let's take a look at how I setup this site in haproxy (dockerfile/haproxy) configurations across a few of my different servers:

frontend https-in *:443  
        mode tcp
        bind *:8443
       ## From http://byte-consult.be/2014/01/28/using-haproxy-as-an-ssl-gateway/
        ## Better described here: http://blog.haproxy.com/2012/04/13/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/

        option socket-stats
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }

        use_backend stn if { req_ssl_sni -i scriptthe.net }

And now for the backend declaration, where I call an nginx container that is listening on 2368 (-p 127.0.0.1:2368:443):

backend stn  
  #balance leastconn
  mode tcp

  # maximum SSL session ID length is 32 bytes.
  stick-table type binary len 32 size 30k expire 30m

  acl clienthello req_ssl_hello_type 1
  acl serverhello rep_ssl_hello_type 2

  # use tcp content accepts to detects ssl client and server hello.
  tcp-request inspect-delay 5s
  tcp-request content accept if clienthello

  # no timeout on response inspect delay by default.
  tcp-response content accept if serverhello

  stick on payload_lv(43,1) if clienthello

  # Learn on response if server hello.
  stick store-response payload_lv(43,1) if serverhello

  option ssl-hello-chk

  server stn_container 172.17.42.1:2368 ## note that when doing mode tcp, you do not need the ending `ssl`

If you aren't aware, 172.17.42.1 is the gateway address for our containers help by interface docker0. This is a way to access services running on our host from inside our container. See below for configuring iptables to allow this.

Finally, lets setup our *:80 listener to redirect permanent our users to our SSL enabled site:

frontend http-in  
        bind *:80

        ## Setup the other site we run on this server
        acl othersite hdr(host) -i othersite.net
        use_backend othersite_nginx if othersite

        ## And offload stn to ssl-enabled port
        redirect scheme https code 301 if { hdr_end(host) -i scriptthe.net } !{ ssl_fc }

One thing to note, since I utilize fairly strict iptables rules on my hosts, in this scenario, because I'm not linking the haproxy container with my stn-nginx container, we need to put a rule in the INPUT chain under the filter table (yes, that's the correct naming for those) to allow traffic from -i docker0:

iptables -A INPUT -i docker0 -j ACCEPT  

Please make sure you understand what this means: any process within a docker container can access any service running on the host machine!

That's all folks!

PS: This is the manual way of doing things. The future is bright with haproxy-confd and nginx dynamic containers which provide the proxy layer in an on-the-fly modifiable way.

Blog Logo

Mario Loria


Published

Image

./scriptthe.net

Because 127.0.0.1 gets old after a while.

Back to Overview