1

UPDATE BELOW

________________

I decided to use HAProxy as reverse-proxy for SharePoint sites and without SSL everything works fine, but with SSL I can't start haproxy.service. I was trying with many configurations, but I can't figure it out...

Trying to start service:

$ sudo systemctl start haproxy.service Job for haproxy.service failed because the control process exited with error code. See "systemctl status haproxy.service" and "journalctl -xe" for details.

Status of the haproxy.service:

$ sudo systemctl status haproxy.service haproxy.service - HAProxy Load Balancer Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since date CEST; Docs: man:haproxy(1) file:/usr/share/doc/haproxy/configuration.txt.gz Process: ExecStart=/usr/sbin/haproxy-systemd-wrapper -f $CONFIG -p $PIDFILE $EXTRAOPTS (code=exited, status=0/SUCCESS) Process: ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=1/FAILURE) Main PID: (code=exited, status=0/SUCCESS) systemd[1]: haproxy.service: Failed with result 'exit-code'. systemd[1]: haproxy.service: Service hold-off time over, scheduling restart. systemd[1]: Stopped HAProxy Load Balancer. systemd[1]: haproxy.service: Start request repeated too quickly. systemd[1]: Failed to start HAProxy Load Balancer. systemd[1]: haproxy.service: Unit entered failed state. systemd[1]: haproxy.service: Failed with result 'exit-code'. systemd[1]: haproxy.service: Start request repeated too quickly. systemd[1]: Failed to start HAProxy Load Balancer. systemd[1]: haproxy.service: Failed with result 'exit-code'.

Checking configuration file issues:

$ sudo haproxy -c -f haproxy.cfg Enter PEM pass phrase: [ALERT]: parsing [haproxy.cfg:31] : 'bind *:443' : unable to load SSL private key from PEM file './cert.pem'. [ALERT]: Error(s) found in configuration file : haproxy.cfg [ALERT]: Proxy 'http_id': no SSL certificate specified for bind '*:443' at [haproxy.cfg:31] (use 'crt'). [ALERT]: Fatal errors found in configuration.

HAProxy -vv:

$ sudo haproxy -vv HA-Proxy version 1.7.5-2 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.8 Running on zlib version : 1.2.8 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with OpenSSL version : OpenSSL 1.1.0e Running on OpenSSL version : OpenSSL 1.1.0f OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.39 Running on PCRE version : 8.39 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with Lua version : Lua 5.3.3 Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with network namespace support Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available filters : [COMP] compression [TRACE] trace [SPOE] spoe

Logs:

 haproxy: [ALERT]: parsing [/etc/haproxy/haproxy.cfg:31] : 'bind *:443' : unable to load SSL certificate file './cert.pem' file does not exist. haproxy: [ALERT]: Error(s) found in configuration file : /etc/haproxy/.cfg haproxy: [ALERT]: Proxy 'http_id': no SSL certificate specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:31] (use 'crt'). haproxy: [ALERT]: Fatal errors found in configuration.

I'm using the same certificate (but divided: certificate, key, chain) for nginx on another server and It works. I created this one for HAProxy with cat cert.crt priv.key certchain.crt > cert.pem command and I tried in different orders, but error is the same. Also with command haproxy -c -f haproxy.cfg server is asking about pass phrase so I think that the certificate is okay (maybe I'm wrong) and something's wrong with the configuration file. Thank you for your time and help.

My haproxy.cfg:

 global tune.ssl.default-dh-param 2048 maxconn 4096 user haproxy group haproxy daemon #ssl-server-verify none defaults mode http option forwardfor log 127.0.0.1 local0 notice maxconn 2000 option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 backend sharepoint mode http #balance roundrobin option redispatch cookie SERVERID insert nocache server spsrv xxx.xxx.xxx.xxx:80 frontend http_id #bind *:80 bind *:443 ssl crt ./cert.pem mode http reqadd X-Forwarded-Proto:\ https acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com:443 use_backend sharepoint if hosts_sharepoint default_backend sharepoint

FIRST UPDATE

I tried with pass-through and now SharePoint is asking for credentials (after disabling IIS role) on port 80 and then SharePoint is redirecting to https with error "504 Gateway Time-out". This is my current haproxy.cfg:

global maxconn 4096 user haproxy group haproxy daemon defaults mode tcp log 127.0.0.1 local0 notice maxconn 2000 option tcplog option dontlognull timeout connect 20s timeout client 10m timeout server 10m frontend httpid mode tcp bind *:443 acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com use_backend sharepoint if hosts_sharepoint default_backend sharepoint backend sharepoint mode tcp balance roundrobin option redispatch cookie SERVERID insert indirect nocache server st1 xxx.xxx.xxx.xxx:443 option ssl-hello-chk

Also command: $ curl xxx.xxx.xxx.xxx:**80** --header 'Host: sharepoint.intranet.com' -vv returns 401 so the connection is working, but command with port 443 $ url xxx.xxx.xxx.xxx:**443** --header 'Host: sharepoint.intranet.com' -vv returns curl: (56) Recv failure: Connection reset by peer. Is my configuration file correct? Or maybe I need to configure IIS?

SECOND UPDATE

After restart the SharePoint server this configuration is working with pass-through:

global maxconn 4096 user haproxy group haproxy daemon defaults mode tcp log 127.0.0.1 local0 notice maxconn 2000 option tcplog option dontlognull timeout connect 20s timeout client 10m timeout server 10m frontend httpid mode tcp bind *:443 acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com use_backend sharepoint if hosts_sharepoint default_backend sharepoint backend sharepoint mode tcp balance roundrobin option redispatch cookie SERVERID insert indirect nocache server st1 xxx.xxx.xxx.xxx:443 option ssl-hello-chk
Improve this question

2 Answers 2

Reset to default
1

You should avoid using relative paths in config files like ./cert.pem. Please change into an absolute path like /etc/ssl/cert.pem (adjust to the current path).

Also, check the cert.pem file itself. It should contain only printable text (not binary) with at least two -----BEGIN CERTIFICATE-----, -----END CERTIFICATE----- blocks (your certificate and a CA from the chain) and a -----BEGIN PRIVATE KEY-----, -----END PRIVATE KEY----- block (or may be an -----BEGIN RSA PRIVATE KEY-----, -----END RSA PRIVATE KEY-----).

If there were any binary inside the cert.pem file, you should convert the original files (cert.crt, priv.key) to PEM format and recreate the cert.pem file again. Correct order for the concatenation should be final cert, key, immediate issuer, next issuer, etc. You can leave out the root CA as it is considered a good practice not to include it (no real need, less bytes exchanged).

You may convert from the binary format (aka DER) to a text format (aka PEM) using openssl:

For the certs (input.crt would be the DER file and output.crt would be the new file in PEM format):

openssl x509 -inform DER -in input.crt -out output.crt

For the key (I assume it is an RSA key, which is the most usual) NOTE: it will ask for a (new) password for the output.key, see my comments on this later.

openssl rsa -inform DER -in input.key -out output.key

NOTE: Most servers assume that the key is not ciphered (that is, the next line of the -----BEGIN PRIVATE KEY----- contains ENCRYPTED). If that was the case and your server would still not start, try converting the key to an unencrypted format (NOTE: in this command, I assume the inputcipher.key file is already in PEM format):

openssl rsa -in inputcipher.key -nodes -out outputclear.key

As for the pass-through with the 504 error, in the later config you are pointing to server st1 xxx.xxx.xxx.xxx:443 whereas in the intercept config you were pointing to server spsrv xxx.xxx.xxx.xxx:80. Please re-check whether your backend is listening on port 80 or on port 443, but it seems that there is no backend listening on 443.

Improve this answer
4
  • I don't know how, but after restarting SharePoint server everything is working with the configuration above (pass-through). So, I'd like to ask: 1. Which of the above configurations is better, safer or maybe will improve page load speed? 2. For now every site load is about 7 seconds - there are ways to decrease the load time? 3. Redirect role from HTTP to HTTPS is configured in IIS now. Will it be better to have a redirect role on the HAProxy server (if this is possible with pass-through)? Commented Sep 14, 2018 at 17:38
  • From the user point of view, a pass-through is safer (encryption is made from the browser to the final server). As for speed... unless you do some caching in an interception proxy for images and css (negligible for most, since browsers will do some local cache), a pass-through will be faster: in an interception proxy there are 2 encryptions: one from the client to the proxy and another for the proxy to the final server, so it takes more time than a single (client to server) one. Unless there is a need for you to check/inspect/modify anything, pass-through is more than enough. Commented Sep 14, 2018 at 18:01
  • Thank you for your answers. About caching, I didn't find how to do it with HAProxy, but I found Nuster. Configuration seems like in HAProxy and there is more options like for ex. caching. Looks good, did you use it? What do you think about it? Commented Sep 14, 2018 at 22:57
  • Haven't heard about it. But cache is not worth it. Also, opinion based questions are forbidden here. It is not a chat. Please stick to questions about your configuration if my answer was not complete. Commented Sep 15, 2018 at 10:15
0

Maybe It will be helpful for someone. In my case I have configured two network adapters on Linux - local network and public network. On Windows I have only local network - Windows is connecting with Linux in local network and then through HAProxy I can open the SharePoint site from the internet.

This is the correct configuration and in my case works (for SSL I used pass-through - redirect and certificate is on Windows IIS):

global maxconn 4096 user haproxy group haproxy daemon defaults mode tcp log 127.0.0.1 local0 notice maxconn 2000 option tcplog option dontlognull timeout connect 20s timeout client 10m timeout server 10m frontend httpid mode tcp bind *:443 acl hosts_sharepoint hdr_end(host) -i intranet.sharepoint.com use_backend sharepoint if hosts_sharepoint default_backend sharepoint backend sharepoint mode tcp balance roundrobin option redispatch server st1 xxx.xxx.xxx.xxx:443 #local address of the Windows server option ssl-hello-chk
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.