Jump to content

C2 Cloud behind HA-Proxy http/https offloading


Peque
 Share

Recommended Posts

Hi hak5 and All. 

I'm Using PFsense as a Firewall and have configured HA-proxy for all Websites etc - so this is only about port 80 & 443 
is it possible to use HA.proxy along with C2 cloud, SInce I'm having some issues ( and my Question is - since I'm having a lot of services this is quite easier) 
Normally for I'm using *.DOMAIN.COM as Certificate through HA-Proxy and ACME as letsencrypt certificates. 
Everything works with when I just open my ports directly Through - But not with the HA-Proxy
 

The *alias gives a :

2022/03/13 15:23:44 http: TLS handshake error from XX.XXX.XXX.XXX1:43663: acme/autocert: missing server name

In the log for the C2 cloud.

And my guess is that its becarse I'm using the * alias - THe reason is that I'm only using one certificate for all suibdomains pr domains . And would like to use the HA-Proxy for the http/https access - but I can't make it work through the HA-proxy 
 

Link to comment
Share on other sites

Hi 
I'm starting my cloud with ( the last try) 
 

/usr/local/bin/c2-3.1.2_amd64_linux -hostname XXX.XXXXX.XX -https -db /var/cloudc2/c2.db -reverseProxy

As Described - it'll work fine with https ( C2 created letsencrypt certificate) as intended. 
But instead of opening ports - I would like to use the HA-proxy Feature in my PFsense - so it'll handle the http/https request. since I'm having One Public IP and several Server hosting different services - therefor the need for HA-Proxy 

I have several other sites running HTTPS behind the Proxy( Such as VMware ESXi - Unify etc) which is working ( even if they already have their own Certificate. 

I know about the options on for starting - But since the HA-proxy and ACME automatickly handles all SSL request ( also renewing etc)
But I cannot make this work  - SO instead the option of running only http - on the C2 Server - and that will work woth the HA-proxy making it a https site, but then the configuration of devices is not correct ( I guess) 

Otherwise I need to export the certificate each time its renewed and then import the certificate into C2 cloud. 

Link to comment
Share on other sites

You say that you guess, have you actually put some work into it and tried different options? Such as terminating the encryption in the revproxy and go unencrypted upstream to the C2 server or try to go encrypted all the way using the C2 command line options to use a cert of your own. How are the devices responding to each scenario? (Remember to create new device.config files for each device for each type of scenario).

Link to comment
Share on other sites

Yeah - I used several hours this weekend testing it through. 
and yes I have tried several ways through the weekend. 

PFSense HA-PROXY --> C2 http --> not working
PFSense HA-PROXY --> C2 https --> not working
PFSense HA-PROXY --> C2 https +revproxy --> not working
PFSense HA-PROXY --> C2 https +revproxy & certificates not working

Stopping C2 - and have Apache running clean with the same certificate

PFSense HA-PROXY --> Apache2 http working 
PFSense HA-PROXY --> Apache2 https working

As described I have several other sites running through this PFsense HA-Proxy, So my Issue could something like Websocket or other addons 
OI know I had other site like Qlik.com that runs websocket and therefore are an issue. 

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...