I've got a problem I can't quite figure out and I'm hoping a Fedora list member can give me a hand. These systems are all Ubuntu based, but this doesn't appear to be an OS related issue as much as maybe I'm missing something with the configuration.
We're needing to scale out one of our websites to multiple web servers. We've already scaled the DB into a 4 node cluster using haproxy with great success, so the plan has been to use haproxy for load balancing the web servers as well. (not the same haproxy, obviously)
The catch is that the existing website is HTTPS, and has been for well over a year. I want to have the load balancer handle the SSL end and use straight HTTP to the web servers to ease application debugging. As I'd never done SSL termination, I essentially copied one of the many template configs on the interwebs.
Here's my problem. When I pull the page from the web server itself (HTTP) it renders fine. When I pull it through the load balancer (HTTPS) it doesn't with an error about mixed content. Based on my research this should make the client see everything as coming from an SSL source even if it doesn't:
frontend lc_www bind *:80 bind *:443 ssl crt /etc/ssl/private/vif.pem acl secure dst_port eq 443 redirect scheme https if !{ ssl_fc } rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure default_backend lc_webfarm
backend lc_webfarm http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc }
server sb3 10.42.204.182:80
When I disable 'protection' in FF the site renders fine. When I enable SSL on the web servers directly, I do not get this error at all (and have never received this error in the near two years it's been HTTPS only). The website itself is joomla based, but I can't see how that's part of the problem.
Is there something weird with my config? Or can someone begin to tell me where to start debugging. BTW, this is using the latest Haproxy v1.6.
Any ideas?
On 02/12/2016 05:53 AM, Mark Haney wrote:
When I pull it through the load balancer (HTTPS) it doesn't with an error about mixed content.
...
Or can someone begin to tell me where to start debugging.
View the source of the page in FF, and look for the string "http://"
Something in the site is generating absolute URLs; you want it to generate relative URLs. Or, if that's not possible, you want it to generate absolute URLs with https://.
If your proxy doesn't have hardware SSL acceleration, you also might find that the system will scale better when passing SSL straight through to the web servers. If you want to observe encrypted traffic for debugging, use ssldump. Wireshark may also be able to analyze encrypted traffic, but I haven't used it before.
http://ssldump.sourceforge.net/ https://wiki.wireshark.org/SSL
The load balancer is just HAProxy on a Linux box (Ubuntu, but totally irrelevant, I think). While I can do SSL passthrough, I'm still stumped as to why this is a problem. The media listed does have 'http://' items listed, but what doesn't make sense is that the server I'm pulling from doesn't have that problem when it's pure HTTPS. I would think absolute URLs *on the web server* would have shown up while it has SSL on the server itself. That's what makes no sense to me.
However, I do appreciate the headsup for SSLdump. I'd forgotten that tool existed, which makes it a bit easier to move back to SSL Passthrough. However, the OCD in me just can't let this lie without an answer. Based on what I understand of the SSL termination config, haproxy is supposed to encrypt everything it gets from the HTTP web server so that the client sees nothing but HTTPS packets. For some reason, it's not doing that and that bugs me.
On Fri, Feb 12, 2016 at 10:18 AM, Gordon Messmer gordon.messmer@gmail.com wrote:
On 02/12/2016 05:53 AM, Mark Haney wrote:
When I pull it through the load balancer (HTTPS) it doesn't with an error about mixed content.
...
Or can someone begin to tell me where to start debugging.
View the source of the page in FF, and look for the string "http://"
Something in the site is generating absolute URLs; you want it to generate relative URLs. Or, if that's not possible, you want it to generate absolute URLs with https://.
If your proxy doesn't have hardware SSL acceleration, you also might find that the system will scale better when passing SSL straight through to the web servers. If you want to observe encrypted traffic for debugging, use ssldump. Wireshark may also be able to analyze encrypted traffic, but I haven't used it before.
http://ssldump.sourceforge.net/ https://wiki.wireshark.org/SSL -- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
On 02/12/2016 07:40 AM, Mark Haney wrote:
While I can do SSL passthrough, I'm still stumped as to why this is a problem. The media listed does have 'http://' items listed, but what doesn't make sense is that the server I'm pulling from doesn't have that problem when it's pure HTTPS. I would think absolute URLs /on the web server/ would have shown up while it has SSL on the server itself. That's what makes no sense to me.
When SSL is terminated in the server, Joomla can determine that the client wants https URLs, by checking properties of the connection. If you terminate SSL at the proxy, which then uses http: to the web server, your web apps determine that the client is using http: when they check the properties. And when they see a client on http:, they'll generate URLs that match. Some of the time you can influence that, but it depends on your app supporting an external SSL proxy and providing such settings.
However, I do appreciate the headsup for SSLdump. I'd forgotten that tool existed, which makes it a bit easier to move back to SSL Passthrough. However, the OCD in me just can't let this lie without an answer. Based on what I understand of the SSL termination config, haproxy is supposed to encrypt everything it gets from the HTTP web server so that the client sees nothing but HTTPS packets. For some reason, it's not doing that and that bugs me.
The one thing your proxy isn't doing is modifying the content of the web pages. If the server includes an http:// URL, it'll be passed to the client, which generates a warning. At that point, the client has only seen HTTPS packets, so your proxy is doing exactly what you expect. It's the web application that isn't, because you've obscured the fact that the client is requesting https:// URLs.
When I googled "joomla https proxy urls", the first result suggests:
"UPDATE: Disabling "Search Engine Friendly URLs" permits use of HTTPS --> HTTP."
It looks like I'm better off just using SSL passthrough for this. We're already good with SSL on the web servers themselves, so it seems pointless to try to undo all that for this. We're moving away from joomla over the next year or so as we're far exceeding what it was designed to do with what we use it for, and I'm hoping to at least consider returning to SSL termination with the new in-house built app. For now though, this works just as well.
As always, I appreciate the help from the Fedora community for something not directly Fedora related. I've been on this list since FC1 and it's by far the most helpful list out there.
On Fri, Feb 12, 2016 at 10:58 AM, Gordon Messmer gordon.messmer@gmail.com wrote:
When I googled "joomla https proxy urls", the first result suggests:
"UPDATE: Disabling "Search Engine Friendly URLs" permits use of HTTPS --> HTTP."
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
-
Gordon Messmer -
Mark Haney