Page MenuHomeVyOS Platform
Create Task
Maniphest T5997

Support ssl backends on reverse-proxy
Open, WishlistPublicFEATURE REQUEST
Actions

Description

haproxy supports ssl backends, but this feature is not exposed in the configuration options.

vyos generates this for the backend configuration in /var/run/haproxy/haproxy.cfg

backend xyz
   balance roundrobin
   option forwardfor
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request add-header X-Forwarded-Proto https if { ssl_fc }
   mode http
   server xyz 1.1.1.1:8443

But on the server line one can change it like this to support ssl

backend xyz
   balance roundrobin
   option forwardfor
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request add-header X-Forwarded-Proto https if { ssl_fc }
   mode http
   server xyz 1.1.1.1:8443  ssl verify none

Which is really two additional options, one to turn on ssl, and one to not verify the certificate. The use case here is putting a valid ssl certificate using lets encrypt in front of an embedded service that only has a privately signed certificate using vyos reverse-proxy feature, and that underlying service is not easily given a real cert. But I suppose this would also be useful for path based re-redirects to ssl using backends also.

I did change /var/run/haproxy/haproxy.cfg file manually and it works fine, but obviously that is not optimal.

If someone gives a couple of pointers on where/how to perform this work I would be willing to put together an MR.

Thanks

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

cleopold73 created this task.Jan 28 2024, 8:51 PM
Viacheslav triaged this task as Wishlist priority.Jan 29 2024, 8:44 AM
Viacheslav edited projects, added VyOS 1.5 Circinus; removed VyOS 1.2 Crux.
Viacheslav added a subscriber: Viacheslav.Jan 29 2024, 8:47 AM

@cleopold73 Do you have any ideas for CLI?

pasik added a subscriber: pasik.Jan 29 2024, 8:21 PM
cleopold73 added a comment.EditedJan 30 2024, 11:41 PM

Maybe something like

set load-balancing reverse-proxy backend <name> server <name> ssl verify <required|none>

It is also possible to pass a ca pem file to use to validate the cert. I think this could be a ca cert stored in the pki config values and exported as a PEM file for haproxy to use.

set load-balancing reverse-proxy backend <name> server <name> ssl ca-certificate <ca-name>

This would be how the server line would look with ssl required and a CA pem file.

server web2 10.0.0.6:443 ssl verify required ca-file /myca.pem
fernando added a subscriber: fernando.Jan 31 2024, 6:10 PM

it think that we can use also something similar to what we use ocserv to generate ssl certificates:

https://docs.vyos.io/en/latest/configuration/vpn/openconnect.html#ssl-certificates

when it needs validate own certifiicate .