Add proof of concept for SNI-based routing through HAProxy

2024-11-18 10:29:43 +00:00 · 2021-06-06 12:29:53 +02:00 · 2021-06-06 12:29:53 +02:00 · b54f9df4c5
commit b54f9df4c5
parent 2e0608c270
12 changed files with 234 additions and 0 deletions
--- a/haproxy-sni/.gitignore
+++ b/haproxy-sni/.gitignore
@ -0,0 +1 @@
 *.dump
--- a/haproxy-sni/README.md
+++ b/haproxy-sni/README.md
@ -0,0 +1,20 @@
 # HAProxy with SNI & Host-based rules
 This is a proof of concept, enabling HAProxy to use *either* SNI to redirect to backends with their own HTTPS certificates (which are then fully exposed to the client; HAProxy only proxies on a TCP level in that case), *as well as* to terminate HTTPS and use the Host header to redirect to backends that use HTTP (or a new HTTPS connection).
 ## How it works
 1. The `http_redirect_frontend` is only there to listen on port 80 and redirect every request to HTTPS.
 2. The `https_sni_frontend` listens on port 443 and chooses a backend based on the SNI hostname of the TLS connection.
 3. The `https_termination_backend` passes all requests to a unix socket (using the plain TCP data).
 4. The `https_termination_frontend` listens on said unix socket, terminates the HTTPS connections and then chooses a backend based on the Host header.
 In the example (see [haproxy.cfg](haproxy.cfg)), the `pages_backend` is listening via HTTPS and is providing its own HTTPS certificates, while the `gitea_backend` only provides HTTP.
 ## How to test
 ```bash
 docker-compose up -d
 ./test.sh
 # For manual testing: all HTTPS URLs connect to localhost:443 & certificates are not verified.
 ./test.sh [curl-options...] <url>
 ```
--- a/haproxy-sni/dhparam.pem
+++ b/haproxy-sni/dhparam.pem
@ -0,0 +1,8 @@
 -----BEGIN DH PARAMETERS-----
 MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
 +8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
 87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
 YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
 7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
 ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
 -----END DH PARAMETERS-----
--- a/haproxy-sni/docker-compose.yml
+++ b/haproxy-sni/docker-compose.yml
@ -0,0 +1,22 @@
 version: "3"
 services:
  haproxy:
    image: haproxy
    ports: ["443:443"]
    volumes:
    - ./haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
    - ./dhparam.pem:/etc/ssl/dhparam.pem:ro
    - ./haproxy-certificates:/etc/ssl/private/haproxy:ro
    cap_add:
    - NET_ADMIN
  gitea:
    image: caddy
    volumes:
    - ./gitea-www:/srv:ro
    - ./gitea.Caddyfile:/etc/caddy/Caddyfile:ro
  pages:
    image: caddy
    volumes:
    - ./pages-www:/srv:ro
    - ./pages.Caddyfile:/etc/caddy/Caddyfile:ro
--- a/haproxy-sni/gitea-www/index.html
+++ b/haproxy-sni/gitea-www/index.html
@ -0,0 +1 @@
 Hello to Gitea!
--- a/haproxy-sni/gitea.Caddyfile
+++ b/haproxy-sni/gitea.Caddyfile
@ -0,0 +1,3 @@
 http://codeberg.org
 file_server
--- a/haproxy-sni/haproxy-certificates/codeberg.org.pem
+++ b/haproxy-sni/haproxy-certificates/codeberg.org.pem
@ -0,0 +1,26 @@
 -----BEGIN CERTIFICATE-----
 MIIEUDCCArigAwIBAgIRAMq3iwF963VGkzXFpbrpAtkwDQYJKoZIhvcNAQELBQAw
 gYkxHjAcBgNVBAoTFW1rY2VydCBkZXZlbG9wbWVudCBDQTEvMC0GA1UECwwmbW9t
 YXJAbW9yaXR6LWxhcHRvcCAoTW9yaXR6IE1hcnF1YXJkdCkxNjA0BgNVBAMMLW1r
 Y2VydCBtb21hckBtb3JpdHotbGFwdG9wIChNb3JpdHogTWFycXVhcmR0KTAeFw0y
 MTA2MDYwOTQ4NDFaFw0yMzA5MDYwOTQ4NDFaMFoxJzAlBgNVBAoTHm1rY2VydCBk
 ZXZlbG9wbWVudCBjZXJ0aWZpY2F0ZTEvMC0GA1UECwwmbW9tYXJAbW9yaXR6LWxh
 cHRvcCAoTW9yaXR6IE1hcnF1YXJkdCkwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
 ggEKAoIBAQCrSPSPM6grNZMG4ZKFCVxuXu+qkHdzSR96QUxi00VkIrkGPmyMN7q7
 rUQJto9C9guJio3n7y3Bvr5kBjICjyWQd7GfkVuYgiYiG/O2hy1u1dIMCAB/Zhx1
 F1mvRfn/Q4eZk2GSOUM+kC0xaNsn2827VGLOGFywUhRmu7J9QSQ3x1Pi5BME7eNC
 AKup0CbrMrZSzKAEuYujLY0UYRxUrguMnV60wxJDCYE14YDxn9t0g7wQmzyndupk
 AMLNJZX5L83RA6vUEuTVYBFcyB0Fu3oBLQ31y5QOZ7WF/QiO5cPicQJI/oyXlHq4
 97BWS/H28kj1H5ZM8+5yhCYDtgj7dERpAgMBAAGjYTBfMA4GA1UdDwEB/wQEAwIF
 oDATBgNVHSUEDDAKBggrBgEFBQcDATAfBgNVHSMEGDAWgBSOSXQZqt2gjbTOkE9Q
 ddI8SYPqrDAXBgNVHREEEDAOggxjb2RlYmVyZy5vcmcwDQYJKoZIhvcNAQELBQAD
 ggGBAJ/57DGqfuOa3aS/nLeAzl8komvyHuoOZi9yDK2Jqr+COxP58zSu8xwhiZfc
 TJvIyB9QR7imGiQ7fEKby40q8uxGGx13oY7gQy7PG8hHk2dkfDZuSQacnpPRC3W0
 0dL2CQIog6rw6jJHjxneitkX9FUmOnHIKy7LHya0Sthg36Z0Qw5JA3SCy6OQNepR
 R2XzwTZ0KFk6gAuKCto8ENUlU5lV9PM4X3U0cBOIc5LJAPM+cxEDUocFtFqKJPbe
 YYlSeB200YhYOdi+x34n9xnQjFu/jVlWF+Y0tMBB1WWq6rZbnuylwWLYQZAo10Co
 D3oWsYRlD/ZL7X20ztIy8vRXz33ugnxxf88Q7csWDYb4S325svLfI2EjciIxYmBo
 dSJxXRQkadjIoI7gNvzeWBkYSJpQUbaD4nT2xRS8vfuv42/DrIehb8SbTivHmcB3
 OibpWIvDtS1B8thIlzl0edb+8pb6mof7pOBxoZdcBsSAk2/48s+jfRHfD9XcuKnv
 hGCdSQ==
 -----END CERTIFICATE-----
--- a/haproxy-sni/haproxy-certificates/codeberg.org.pem.key
+++ b/haproxy-sni/haproxy-certificates/codeberg.org.pem.key
@ -0,0 +1,28 @@
 -----BEGIN PRIVATE KEY-----
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrSPSPM6grNZMG
 4ZKFCVxuXu+qkHdzSR96QUxi00VkIrkGPmyMN7q7rUQJto9C9guJio3n7y3Bvr5k
 BjICjyWQd7GfkVuYgiYiG/O2hy1u1dIMCAB/Zhx1F1mvRfn/Q4eZk2GSOUM+kC0x
 aNsn2827VGLOGFywUhRmu7J9QSQ3x1Pi5BME7eNCAKup0CbrMrZSzKAEuYujLY0U
 YRxUrguMnV60wxJDCYE14YDxn9t0g7wQmzyndupkAMLNJZX5L83RA6vUEuTVYBFc
 yB0Fu3oBLQ31y5QOZ7WF/QiO5cPicQJI/oyXlHq497BWS/H28kj1H5ZM8+5yhCYD
 tgj7dERpAgMBAAECggEAAeW+/88cr83aIRtimiKuaXKXyRXsnNRUivAqPnYEsMVJ
 s24BmdQMN4QF2u2wzJcZLZ7hT45wvVK1nToMV8bqLZ2F1DSyBRB8B6iznHQG5tFr
 kEKObtrcuddWYQCvckp3OBZP4GTN/+Vs+r0koF5o+whGR+4xKKrgGvs9UPHlytBf
 0DMzAzWzGPp6qBPw2sUx/fa9r5TqFW+p4SEOZJUqL2/zEZ6KBWbKw5T1e1y2kMEc
 cquUQ4avqK/N1nwRNKUnTvW827v0k7HQ2cFdrjIATNlICslOWJQicG5GUOuSBkTC
 0FFkSTtHP4qm0BqShjv6NDmzX+3WCVkGOKFOI+zuWQKBgQDBq8yEcvfMJY98KNlR
 eKKdJAMJvKdoD65Yv6EG7ZzpeEWHaTGhu71RPgHYkHn8h1T/9WniroSk19+zb4lP
 mMsBwxpg5HejWPzIiiJRkRCRA7aZZfvaXfIWryB4kI1tlGHBNN/+SYpG1zdNumtp
 Xyb/sQWMMWRZdRgclF8V+NvduwKBgQDiaM59gBROleREduFZE1a0oXtt+CrwrPlz
 hclrkYl1FbTA4TdL4JNbj5jCXCR8YakFhxWEmhwq+Dgl1NQY/YjHyG3w2imaeASX
 QUsEvAIvNrv1mIELiYCLmUElyX4WL3UhqveOFcZUvR1Z4TTwruPQmXf6BJEBLbWI
 f7odmG6yKwKBgQCzpuLjZiZY9+qe2OGmQopNzE8JJDgCPrGS38fGvnnU1N1iXAFP
 LvDRwPxDYNnXl84QVR2wygR/SUTYlTlBXdHKw6nfgW89Vlm+yOxGz5MXgeNLbp/u
 k0DzK+aqECUxJfh8GclCgANF7XP+pVPn/f0WKKalwld86DLCqBuALUX+6wKBgCUh
 gxvZ8Xqh4nnH9VUicsnU4eU7Ge+2roJfopTdnWlyUd6AEQ2EmyYc+rSFYAZ2Db42
 VTUWASCa7LpnmREwI0qAeGdToBcRL8+OibsRClqr409331IBDu/WBnUoAmGpDtCi
 tU68C3bCPRoMcR430GzZfm+maBGFaYwlRmSsJxtZAoGADSA3uAZBuWNDPNKUas2k
 Z2dXFEPNpViMjQzJ+Ko7lbOBpUUUQfZF2VMSK4lcnhhbmhcMrYzWWmh6uaw78aHY
 e3M//BfcVMdxHw7EemGOViNNq3uDIwzvYteoe6fAOA7MaV+WjJaf+smceR4o38fk
 U9RTkKpRJIcvEW5bvTI9h4o=
 -----END PRIVATE KEY-----
--- a/haproxy-sni/haproxy.cfg
+++ b/haproxy-sni/haproxy.cfg
@ -0,0 +1,98 @@
 #####################################
 ## Global Configuration & Defaults ##
 #####################################
 global
  log stderr format iso local7
  # generated 2021-06-05, Mozilla Guideline v5.6, HAProxy 2.1, OpenSSL 1.1.1d, intermediate configuration
  # https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.1d&guideline=5.6
  ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
  ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
  ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
  ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
  # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
  ssl-dh-param-file /etc/ssl/dhparam.pem
 defaults
  log global
  timeout connect 30000
  timeout check 300000
  timeout client 300000
  timeout server 300000
 ############################################################################
 ## Frontends: HTTP; HTTPS → HTTPS SNI-based; HTTPS → HTTP(S) header-based ##
 ############################################################################
 frontend http_redirect_frontend
  # HTTP backend to redirect everything to HTTPS
  bind :::80 v4v6
  mode http
  http-request redirect scheme https
 frontend https_sni_frontend
  # TCP backend to forward to HTTPS backends based on SNI
  bind :::443 v4v6
  mode tcp
  # Wait up to 5s for a SNI header & only accept TLS connections
  tcp-request inspect-delay 5s
  tcp-request content capture req.ssl_sni len 255
  log-format "%ci:%cp -> %[capture.req.hdr(0)] @ %f (%fi:%fp) -> %b (%bi:%bp)"
  tcp-request content accept if { req.ssl_hello_type 1 }
  ###################################################
  ## Rules: forward to HTTPS(S) header-based rules ##
  ###################################################
  acl use_http_backend req.ssl_sni -i "codeberg.org"
  acl use_http_backend req.ssl_sni -i "join.codeberg.org"
  use_backend https_termination_backend if use_http_backend
  ############################
  ## Rules: HTTPS SNI-based ##
  ############################
  # use_backend xyz_backend if { req.ssl_sni -i "xyz" }
  default_backend pages_backend
 frontend https_termination_frontend
  # Terminate TLS for HTTP backends
  bind /tmp/haproxy-tls-termination.sock accept-proxy ssl strict-sni alpn h2,http/1.1 crt /etc/ssl/private/haproxy/
  mode http
  # HSTS (63072000 seconds)
  http-response set-header Strict-Transport-Security max-age=63072000
  http-request capture req.hdr(Host) len 255
  log-format "%ci:%cp -> %[capture.req.hdr(0)] @ %f (%fi:%fp) -> %b (%bi:%bp)"
  ##################################
  ## Rules: HTTPS(S) header-based ##
  ##################################
  use_backend gitea_backend if { hdr(host) -i codeberg.org }
 backend https_termination_backend
  # Redirect to the terminating HTTPS frontend for all HTTP backends
  server https_termination_server /tmp/haproxy-tls-termination.sock send-proxy-v2-ssl-cn
  mode tcp
 ###############################
 ## Backends: HTTPS SNI-based ##
 ###############################
 backend pages_backend
  # Pages server is a HTTP backend that uses its own certificates for custom domains
  server pages_server pages:443
  mode tcp
 ####################################
 ## Backends: HTTP(S) header-based ##
 ####################################
 backend gitea_backend
  server gitea_server gitea:80
  mode http
--- a/haproxy-sni/pages-www/index.html
+++ b/haproxy-sni/pages-www/index.html
@ -0,0 +1 @@
 Hello to Pages!
--- a/haproxy-sni/pages.Caddyfile
+++ b/haproxy-sni/pages.Caddyfile
@ -0,0 +1,4 @@
 https://example-page.org
 tls internal
 file_server
--- a/haproxy-sni/test.sh
+++ b/haproxy-sni/test.sh
@ -0,0 +1,22 @@
 #!/bin/sh
 if [ $# -gt 0 ]; then
  exec curl -k --resolve '*:443:127.0.0.1' "$@"
 fi
 fail() {
  echo "[FAIL] $@"
  exit 1
 }
 echo "Connecting to Gitea..."
 res=$(curl https://codeberg.org -sk --resolve '*:443:127.0.0.1' --trace-ascii gitea.dump | tee /dev/stderr)
 echo "$res" | grep -Fx 'Hello to Gitea!' >/dev/null || fail "Gitea didn't answer"
 grep '^== Info:  issuer: O=mkcert development CA;' gitea.dump || { grep grep '^== Info:  issuer:' gitea.dump; fail "Gitea didn't use the correct certificate!"; }
 echo "Connecting to Pages..."
 res=$(curl https://example-page.org -sk --resolve '*:443:127.0.0.1' --trace-ascii pages.dump | tee /dev/stderr)
 echo "$res" | grep -Fx 'Hello to Pages!' >/dev/null || fail "Pages didn't answer"
 grep '^== Info:  issuer: CN=Caddy Local Authority\b' pages.dump || { grep '^== Info:  issuer:' pages.dump; fail "Pages didn't use the correct certificate!"; }
 echo "All tests succeeded"
 rm *.dump