C2 Cloud behind HA-Proxy http/https offloading

[Peque]

Hi hak5 and All. 

I'm Using PFsense as a Firewall and have configured HA-proxy for all Websites etc - so this is only about port 80 & 443 
is it possible to use HA.proxy along with C2 cloud, SInce I'm having some issues ( and my Question is - since I'm having a lot of services this is quite easier) 
Normally for I'm using *.DOMAIN.COM as Certificate through HA-Proxy and ACME as letsencrypt certificates. 
Everything works with when I just open my ports directly Through - But not with the HA-Proxy
 

The *alias gives a :

2022/03/13 15:23:44 http: TLS handshake error from XX.XXX.XXX.XXX1:43663: acme/autocert: missing server name

In the log for the C2 cloud.

And my guess is that its becarse I'm using the * alias - THe reason is that I'm only using one certificate for all suibdomains pr domains . And would like to use the HA-Proxy for the http/https access - but I can't make it work through the HA-proxy 
 

[dark_pyrro]

How are you starting your C2 server behind that reverse proxy (HA or not)? What string (don't reveal any secrets such as domain names)? You know there are options for reverse proxy and alternative certificates when starting the C2 server, right?

[Peque]

Hi 
I'm starting my cloud with ( the last try) 
 

/usr/local/bin/c2-3.1.2_amd64_linux -hostname XXX.XXXXX.XX -https -db /var/cloudc2/c2.db -reverseProxy

As Described - it'll work fine with https ( C2 created letsencrypt certificate) as intended. 
But instead of opening ports - I would like to use the HA-proxy Feature in my PFsense - so it'll handle the http/https request. since I'm having One Public IP and several Server hosting different services - therefor the need for HA-Proxy 

I have several other sites running HTTPS behind the Proxy( Such as VMware ESXi - Unify etc) which is working ( even if they already have their own Certificate. 

I know about the options on for starting - But since the HA-proxy and ACME automatickly handles all SSL request ( also renewing etc)
But I cannot make this work  - SO instead the option of running only http - on the C2 Server - and that will work woth the HA-proxy making it a https site, but then the configuration of devices is not correct ( I guess) 

Otherwise I need to export the certificate each time its renewed and then import the certificate into C2 cloud. 

[dark_pyrro]

You say that you guess, have you actually put some work into it and tried different options? Such as terminating the encryption in the revproxy and go unencrypted upstream to the C2 server or try to go encrypted all the way using the C2 command line options to use a cert of your own. How are the devices responding to each scenario? (Remember to create new device.config files for each device for each type of scenario).

[Peque]

Yeah - I used several hours this weekend testing it through. 
and yes I have tried several ways through the weekend. 

PFSense HA-PROXY --> C2 http --> not working
PFSense HA-PROXY --> C2 https --> not working
PFSense HA-PROXY --> C2 https +revproxy --> not working
PFSense HA-PROXY --> C2 https +revproxy & certificates not working

Stopping C2 - and have Apache running clean with the same certificate

PFSense HA-PROXY --> Apache2 http working 
PFSense HA-PROXY --> Apache2 https working

As described I have several other sites running through this PFsense HA-Proxy, So my Issue could something like Websocket or other addons 
OI know I had other site like Qlik.com that runs websocket and therefore are an issue.