Skeer
Reputation: 173
Serving LDAPS lookups over HAProxy, unable to bind in testing
So I've got a sub-domain with a DC that I'm trying to setup HAProxy for SSL termination. So my problem is HAProxy is giving an error in LDP.exe when trying to connect and bind to *ldaps.**tech.com:
Server error: <empty>
53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='bh-test'; Pwd=<unavailable>; domain = '****tech.com'}
Error <81>: ldap_bind_s() failed: Server Down.
Server error: <empty>
I'm able to ping the server just fine, and port 636 is open and waiting. And I'm using creds from a user with Domain Admin perms on that domain. the HAProxy server is actually feeding two domains with ACLs and the other domain works perfectly. Here is my Haproxy.cfg:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
maxconn 2048
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# Enabling HAProxy Stats
listen stats
bind :8404
mode http
log global
maxconn 10
stats enable
stats refresh 30s
stats show-node
stats auth user:password
stats uri /haproxy?stats
# LDAPS
frontend ldaps_frontend
mode tcp
log global
bind *:636 ssl crt /etc/ssl/private/hap/
description LDAPS Service
option tcplog
option logasap
option socket-stats
option tcpka
timeout client 60s
acl host_j hdr(host) -i j.com
acl host_*** hdr(host) -i ***tech.com
use_backend j_ldaps if host_j
use_backend e*** if host_***
# Enzian Stuff
frontend https-in
bind *:443 ssl crt /etc/ssl/private/hap/
mode http
description ***Tech
option socket-stats
default_backend ***_https
option tcplog
backend j_ldaps
mode tcp
balance leastconn
server dc01 x.x.x.x:636 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
server dc02 x.x.x.x:636 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
timeout server 60s
timeout connect 60s
option tcpka
option tcp-check
tcp-check connect port 636 ssl
tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple
tcp-check send-binary 01 # message ID
tcp-check send-binary 6007 # protocol Op
tcp-check send-binary 0201 # bind request
tcp-check send-binary 03 # LDAP v3
tcp-check send-binary 04008000 # name, simple authentication
tcp-check expect binary 0a0100 # bind response + result code: success
tcp-check send-binary 30050201034200 # unbind request
backend ***
mode tcp
balance leastconn
# server dc01.***tech.com x.x.x.x:636 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
server dc02.***tech.com x.x.x.x:636 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
timeout server 60s
timeout connect 60s
option tcpka
option tcp-check
tcp-check connect port 636 ssl
tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple
tcp-check send-binary 01 # message ID
tcp-check send-binary 6007 # protocol Op
tcp-check send-binary 0201 # bind request
tcp-check send-binary 03 # LDAP v3
tcp-check send-binary 04008000 # name, simple authentication
tcp-check expect binary 0a0100 # bind response + result code: success
tcp-check send-binary 30050201034200 # unbind request
backend ***_https
mode http
balance leastconn
server subca02.***tech.com x.x.x.x:443 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
# server dc01.***tech.com x.x.x.x:636 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
option httpchk OPTIONS / HTTP/1.1
The credentials used have been dbl-checked, there is no local firewall on this DC, no firewalls between either host so I'm rather lost. Any advice is appreciated!!
Upvotes: 0
Views: 3419
Answers (1)
Aleksandar
Reputation: 2672
The hdr(host) ist for http workload and makes no sends with mode tcp.
hdr()
I would try to use req.ssl_sni for routing as described in How does the SNI Routing works in HAProxy and Enhanced SSL Load Balancing with Server Name Indication (SNI) TLS Extension
Here the untested snipplet
frontend ldaps_frontend
mode tcp
log global
bind *:636 ssl crt /etc/ssl/private/hap/
description LDAPS Service
option tcplog
option logasap
option socket-stats
option tcpka
timeout client 60s
acl host_j req.ssl_sni -i j.com
acl host_*** req.ssl_sni -i ***tech.com
use_backend j_ldaps if host_j
use_backend e*** if host_***
Upvotes: 1
Related Questions
- Why doesn't ldapsearch over ssl/tls work?
- HAproxy SSL handshake failure
- Getting 404 when call request by haproxy (directly works fine)
- HAProxy http mode with ssl and simple acl behave weirdly
- setting up haproxy to listen to ssl
- Haproxy with SSL doesn't works
- Haproxy 1.4 connecting to an https backend servers
- SSL over HAProxy issue
- SSL LDAP lookup FAILS with handshake_failure
- Connect to LDAP over SSL