Hey there! I’ve got a handful of Haproxy servers that are serving LDAPS and HTTPS front/back ends. I am new to this, so I built these and reused the config from the older Haproxy servers we had. Anyway I mention that because I likely have little idea what I should be done here. So far everything is working.. we are able to bind and perform lookups successfully. What’s not working like I think it should is logging. I have Firewalld setup that is blocking all traffic inbound from the same internal subnet as the server, and allowing 0.0.0.0/0 in from all other sources for ports 636 and 443.
Rsyslog is matching on program name ‘haproxy’ and the default UNIX socket /dev/log and forwarding all info to /var/log/haproxy.log Rsyslog is matching on program name ‘firewalld’ and sending all info to /var/log/firewalld.log If I tail both files, I see many inbound connections allowed to port 636, but no corresponding events in the haproxy.log file. So I’m hoping that maybe I have something on the Haproxy side that’s not quite what it should be. The thought is, Maybe the connection attempts are coming in, but Haproxy is not fulfilling them for some reason. And I don’t have the appropriate log options or formats setup to determine that. Attached is my sanitized haproxy.cfg Please don’t hesitate to ask me for more info 😊 Thanks!! Ben
global log /dev/log local0 log /dev/log local1 notice # log 127.0.0.1 local1 chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin stats timeout 30s maxconn 2048 user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # An alternative list with additional directives can be obtained from # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 tune.ssl.default-dh-param 2048 defaults log global mode http option httplog log-format "%{+Q}o client_ip=%ci client_port=%cp datetime_of_request=[%tr] frontend_name_transport=%ft backend_name=%b server_name=%s time_to_receive_full_request=%TR Tw=%Tw Tc=%Tc response_time=%Tr active_time_of_request=%Ta status_code=%ST bytes_read=%B captured_request_cookie=%CC captured_response_cookie=%CS termination_state_with_cookie_status=%tsc actconn=%ac feconn=%fc beconn=%bc srv_conn=%sc retries=%rc srv_queue=%sq backend_queue=%bq captured_request_headers_default_style=%hr captured_response_headers_default_style=%hs server_ip=%si server_port=%sp frontend_name=%f http_method=%HM http_request_uri_without_query=%HP http_request_query_string=%HQ http_request_uri=%HU bytes_uploaded=%U ssl_ciphers=%sslc ssl_version=%sslv" option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http # Enabling HAProxy Stats listen stats bind *:8404 mode http log global maxconn 10 stats enable stats refresh 30s stats show-node stats auth admin:password stats uri /stats # LDAPS frontend ldaps mode tcp log global bind *:636 ssl crt /etc/ssl/private/hap/ldaps.net.pem crt /etc/ssl/private/hap/wild.ecorp.com.pem description LDAPS Service option tcplog option logasap option socket-stats option tcpka timeout client 60s tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } use_backend ecorp_ldaps if { ssl_fc_sni_end ecorp.com } default_backend ldaps # ECorp Stuff frontend ecorp_https bind *:443 ssl crt /etc/ssl/private/hap/wild.ecorp.com.pem log global mode http description ECorpTech option socket-stats default_backend ecorp_https option tcplog capture request header Host len <len> capture request header Content-Type len <len> capture request header User-Agent len <len> capture request header Referer len <len> capture request header X-Forwarded-For len <len> capture response header Content-Type len <len> capture cookie Cookie_2 len <len> # LDAPS backend backend ldaps mode tcp log global balance leastconn server rodc01 x.x.x.x:636 maxconn 100 check ssl fall 3 rise 1 inter 2s verify none check check-ssl ca-file /etc/ssl/private/hap/ldaps.pem timeout server 60s timeout connect 60s option tcpka # option ldap-check option tcp-check tcp-check connect port 636 ssl tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple tcp-check send-binary 01 # message ID tcp-check send-binary 6007 # protocol Op tcp-check send-binary 0201 # bind request tcp-check send-binary 03 # LDAP v3 tcp-check send-binary 04008000 # name, simple authentication tcp-check expect binary 0a0100 # bind response + result code: success tcp-check send-binary 30050201034200 # unbind request # ECorp backend LDAPS backend ecorp_ldaps mode tcp log global server dc02 x.x.x.x:636 maxconn 20 check ssl fall 3 rise 1 inter 10s verify none check check-ssl ca-file /etc/ssl/private/hap/wild.ecorp.com.pem timeout server 60s timeout connect 60s option tcpka option tcp-check tcp-check connect port 636 ssl tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple tcp-check send-binary 01 # message ID tcp-check send-binary 6007 # protocol Op tcp-check send-binary 0201 # bind request tcp-check send-binary 03 # LDAP v3 tcp-check send-binary 04008000 # name, simple authentication tcp-check expect binary 0a0100 # bind response + result code: success tcp-check send-binary 30050201034200 # unbind request # Ecorp backend https backend ecorp_https mode http server subca02.ecorp.com x.x.x.x:443 maxconn 20 fall 3 rise 1 inter 10s verify none check check-ssl option httpchk OPTIONS / HTTP/1.0