[Solved] HTTPS extforward.hap-PROXY
Added by jamester over 6 years ago
I'm having an issue getting extforward.hap-PROXY working with HTTPS connections. We are behind an Amazon classic ELB, forwarding TCP 443 to lighttpd.
Using version 1.4.48, our SSL setup is working well, with no issues. Running on Amazon AMI 4.9.51-10.52.amzn1.x86_64 #1 SMP Fri Sep 29 01:16:19 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
As soon as I enable Proxy Protocol on the ELB, and enable lighttpd with extforward.hap-PROXY = "enable", SSL will no longer function.
(mod_openssl.c.1496) SSL: 1 error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
modules.conf has the correct order:
server.modules = ( "mod_access", "mod_openssl", "mod_extforward", # "mod_alias", # "mod_auth", # "mod_evasive", "mod_redirect", "mod_rewrite", "mod_expire", "mod_setenv", # "mod_usertrack", )
The extforward config I've tried in various places in the lighttpd.conf, before and after ssl settings, but no difference.
It seems like lighttpd is not understanding the PROXY information being sent, and therefore trying to decode as part of SSL?
Very grateful for any help offered, from anyone who is using this setting.
Update
Some further information. Load balancer seems to be behaving exactly as it should - here is a request coming in.
PROXY TCP4 xx.147.19.100 10.34.229.153 50015 443 ��������I9z����K�Q�p���3:��:���+�/�,�0̨̩����/5 ����(&#www.serveraddress.com# hhttp/1.1uP
Replies (2)
RE: HTTPS extforward.hap-PROXY - Added by gstrauss over 6 years ago
FYI: lighttpd 1.4.48 works for me with mod_extforward loaded after mod_openssl in lighttpd.conf, and with HAProxy sitting in front configured with 'mode tcp', which passes through the SSL connection to lighttpd. Maybe you don't have Amazon ELB IPs trusted? You have not shared your lighttpd complete config. Please lighttpd -f /etc/lighttpd/lighttpd.conf -p and attach to this forum (after XXXXX'ing any private info).
server.modules += ("mod_openssl")
# fill in openssl config here
server.modules += ("mod_extforward")
extforward.forwarder = ( "127.0.0.1" => "trust" )
extforward.hap-PROXY = "enable"
haproxy config:
defaults
mode tcp
timeout client 600000
timeout server 600000
timeout connect 8000
frontend httpfront
use_backend lighttpd
bind *:8444
backend lighttpd
server srv01 127.0.0.1:8443 weight 1 maxconn 50 send-proxy-v2
RE: [solved] HTTPS extforward.hap-PROXY - Added by jamester over 6 years ago
as pointed out, and now clarified in the docs, if extforward.forwarder is not set, information from the PROXY will be ignored. This has the effect of causing the SSL data to be viewed as corrupt.
Some further thoughts that may help someone out.
If using extforward.hap-PROXY with Amazon Elastic Load Balancing, it is more logical to only enable it for the HTTPS connections. If enabled for HTTP, the ELB health check will most likely fail, as it will not carry the PROXY headers required, and then the instance will be taken out of service. It works great in the $SERVER["socket"] == ":443" section.
Also, given HTTP listeners will try to populate the X-Forwarded-For anyway, it is less important, as the real goal of this is to allow access to the external IP address of the request, when HTTPS is being used, and decrypted by the instance directly.
The ELB listener MUST be TCP - if set to HTTP it will NOT add the PROXY header.
Will do a bit more testing on this, and then will look to deploy out to the servers this week - thanks for all the help!