NC config for HAProxy SSL termination scenario

Hollerauer · June 12, 2017, 12:19pm

Hi Folks,

I ran my NC11 installation for a while now in a test environment. Now I want to switch it to online mode.

Therefor I placed my NC-Server in a DMZ environment which is protected by a pfsense HW-Firewall. The firewall also runs HAProxy. Idealy I will terminate the SSL-connection from the Internet to the NC-Server at HAProxy and forward traffic decrypted from there. The domain-name (cloud.justanexample.com) is pointing via dyndns to the firewall and will then be forwarded based on ACL-rule to the NC-Server.

Can somebody with an comperable scenario share his/her NC-config-file with me?
I have some difficulties setting the correct parameters.
At the moment the combination of

overwriteprotocol “https”
overwrite.cli.url "https://cloud.justanexample.com/"
gives me the ability to login, but can not resolve the url to show content in the files app.

Again a working config-example would help me best.

JasonBayton · June 12, 2017, 12:26pm

Can you share what you have now? This config example should be enough I think:

frontend www-http
   bind haproxy_www_public_IP:80
   reqadd X-Forwarded-Proto:\ http
   default_backend www-backend

frontend www-https
   bind haproxy_www_public_IP:443 ssl crt /etc/ssl/private/example.com.pem
   reqadd X-Forwarded-Proto:\ https
   default_backend www-backend

backend www-backend
   redirect scheme https if !{ ssl_fc }
   server www-1 www_1_private_IP:80 check
   server www-2 www_2_private_IP:80 check

I’m about to implement this, currently my HAProxy config is http only while I got it setup and tested.

buffoon · June 12, 2017, 3:09pm

Honestly I’d try to prevent SSL termination on the Firewall. What I do instead is HAProxy configured to do real http Proxy only for unencrypted traffic (in my case only needed for the letsencrypt verification) and for SSL use the function of HAProxy to just read the SNI (Server Name Indication) field and then pass the whole TCP traffic to the server. If I remember right I used this tutorial:

I personally don’t want the traffic to be decrypted by the proxy because IMO https traffic should be from client to server, not from client to the Gateway of the server (So compromising the firewall doesn’t impact traffic passing the firewall)

Hollerauer · June 12, 2017, 3:14pm

Thx for your HAProxy-config example. Can you also share the corresponding NC-config?

JasonBayton · June 12, 2017, 3:23pm

The same as yours:

overwriteprotocol “https”
overwrite.cli.url “https://cloud.justanexample.com/”

Hollerauer · June 12, 2017, 3:25pm

Thx for providing this nice manual. I’ll rethink the security risk using not real end-to-end-encryption.