plugins net/haproxy: Option tcp-request missing for SSL passthrough configuration

Hello togehter,

I host a Nextcloud Instance behind the HAproxy. But without this option the SNI routing will not work 100%. Somtimes (50% chance) he detects the SNI the other 50% he did not recognise the SNI.

I need an Option to set this at the Public Services for a working System. With Bind option pass-through and Option pass-through in the Public Services it is not possible.

I have change the config per Hand, but if i use the gui to change some settings, he overwrite this change any time. Hope where is a way.

Kind regards Andre

Config example:

frontend Service_https bind 123.123.123.123:443 name 123.123.123.123:443 mode tcp tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 }

Apr 03 '21 15:04 m59deathman

What exactly was added to or removed from the config?

Apr 03 '21 20:04 fraenki

Sorry forget to mark it.

Added: tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 }

The first Option is not necessary at the moment (Small Rules). But the second makes the Music.

Kind regards

Apr 03 '21 23:04 m59deathman

That's already possible, you need to create rules for this. Please have a look at https://github.com/opnsense/plugins/pull/1884 for a starting point.

Apr 05 '21 11:04 fraenki

Hi,

thanks for the Tip. But i need the tcp-request content accept if { req_ssl_hello_type 1 } option. If i build a rule i can choose the "tcp-request content accept" option but i can not give him the Parameter "if { req_ssl_hello_type 1 }" But this is the option i need. The timeout is not necessary at the Moment because i have no big Rules.

Kind regards Andre

Apr 05 '21 19:04 m59deathman

But i need the tcp-request content accept if { req_ssl_hello_type 1 } option.

AFAICT you just want to check if this is a SSL/TLS connection. There is another "condition" in the HAProxy plugin that should do the trick:

Condition type: Traffic is SSL

This will add the req.ssl_ver gt 0 condition to the HAProxy config. Please let me know if this is a valid alternative.

Apr 05 '21 20:04 fraenki

Hi,

the Check for SSL yes or no i have already implementet.

This test was designed to be used with TCP request content inspection. If content switching is needed, it is recommended to first wait for a complete client hello (type 1).

Apr 05 '21 21:04 m59deathman

Thanks for the clarification. I'll add this option in one of the next releases.

Apr 06 '21 21:04 fraenki

Hi,

Thanks. Is there a approximately timeline, so that i cant set me a note.

Apr 07 '21 18:04 m59deathman

Unfortunately no, there's so much on my list and I need to finish some other work first. I'll update this issue when this option was added, so you'll be notified.

Apr 07 '21 21:04 fraenki

Hi,

are there an news about this problem?

Aug 17 '22 08:08 m59deathman

No. There's only so much that one person can do. Contributions are welcome.

Aug 17 '22 08:08 fraenki

Yes you can edit the config by Hand. But after this you cannot do changes on the GUI. If you make changes there he will override your changes you have made by hand.

Von meinem iPhone gesendet

Am 04.08.2022 um 15:25 schrieb TechInterMezzo @.***>:

I have the same problem with sni conditions not working. Is there any workaround at the moment?

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.

Oct 11 '22 08:10 m59deathman

@m59deathman Would you test the following patch?

opnsense-patch -c plugins d8bbd5bb

This will add the new condition type "SSL Hello Type". To create the required HAProxy ACL, do the following:

Add new condition:
- SSL Hello Type -> 1 - client hello
Add new rule:
- Select newly created condition
- HAProxy function: tcp-request content accept

If this works for you, then I'll release it in os-haproxy version 3.12 (OPNsense 22.7.7 or later).

Oct 11 '22 11:10 fraenki

Hi,

Sorry for my late response. The mail was marked as Spam. Dont know why.

Where have to put in this command: opnsense-patch -c plugins d8bbd5bb?

Kind regards

Von: Frank Wall @.*** Gesendet: Dienstag, 11. Oktober 2022 13:21 An: opnsense/plugins Cc: m59deathman; Mention Betreff: Re: [opnsense/plugins] net/haproxy: Option tcp-request missing for SSL passthrough configuration (#2311)

@m59deathman https://github.com/m59deathman Would you test the following patch?

opnsense-patch -c plugins d8bbd5bb

This will add the new condition type "SSL Hello Type". To create the required HAProxy ACL, do the following:

Add new condition: ** SSL Hello Type -> 1 - client hello
Add new rule: ** Select newly created condition ** HAProxy function: tcp-request content accept

If this works for you, then I'll release it in os-haproxy version 3.12 (OPNsense 22.7.7 or later).

— Reply to this email directly, view it on GitHub https://github.com/opnsense/plugins/issues/2311#issuecomment-1274527715 , or unsubscribe https://github.com/notifications/unsubscribe-auth/ATQTYUQZSK3RG54N2WRYQ7TWCVETPANCNFSM42KL3JWA . You are receiving this because you were mentioned. https://github.com/notifications/beacon/ATQTYUS5UQ4PKLAVHYMLFELWCVETPA5CNFSM42KL3JWKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOJP337YY.gif Message ID: @.***>

Oct 25 '22 16:10 m59deathman

Applying patches can be a risky thing. So if you're not familiar with it, no worries, it's OK to wait for the next OPNsense release. It's probably not too far away.

Oct 25 '22 21:10 fraenki

Apply patches is not the problem with snapshots. But I have to know how 😉.

But if it’s in one of ne next release I can wait for it.

Von meinem iPhone gesendet

Am 25.10.2022 um 23:02 schrieb Frank Wall @.***>:

Applying patches can be a risky thing. So if you're not familiar with it, no worries, it's OK to wait for the next OPNsense release. It's probably not too far away.

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you were mentioned.

Oct 25 '22 21:10 m59deathman