haproxy 和 LDAP 后端使用旧的 SSL/密码

haproxy 和 LDAP 后端使用旧的 SSL/密码

我尝试使用 haproxy 将请求代理到具有真正过时的 SSL/密码的旧 LDAP 服务器..但 ldapsearch 总是返回错误:

ldap_result: Can't contact LDAP server (-1)

这是我的 haproxy 配置:

global
    log stdout  format raw  local0  debug

frontend ldap-636
  bind 0.0.0.0:636 ssl crt /cert.pem no-sslv3 no-tlsv10 ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
  mode tcp
  option socket-stats
  option tcplog
  option tcpka
  timeout client 10s
  default_backend ldap-636-origin

backend ldap-636-origin
  log stdout  format raw  local0  debug
  server DC-NODE-01 172.16.17.77:636 no-check ciphers ALL:NULL:eNULL:aNULL:RC4-MD5:@SECLEVEL=0 ca-file /ca-certificates/ca-cert.pem
  #server DC-NODE-01 172.16.17.77:389 check fall 3 rise 2 inter 5000 weight 10
  mode tcp
  stick-table type ip size 200k expire 30m
  timeout server 12s
  timeout tunnel 10s
  timeout connect 10s

后端服务器使用 SSLv3/TLSv1.0 和 RC4-MD5 密码。我首先尝试使用 haproxy 的官方 Docker Build,但容器中附带的 OpenSSL 未编译为支持这些旧密码。我修补了 haproxy 的 Dockerfile 并构建了自己的镜像,其中包括一个自编译版本的 openssl,支持旧密码:

# vim:set ft=dockerfile:
FROM alpine:3.11

ENV HAPROXY_VERSION 2.1.2
ENV HAPROXY_URL https://www.haproxy.org/download/2.1/src/haproxy-2.1.2.tar.gz
ENV HAPROXY_SHA256 6079b08a8905ade5a9a2835ead8963ee10a855d8508a85efb7181eea2d310b77

# see https://sources.debian.net/src/haproxy/jessie/debian/rules/ for some helpful navigation of the possible "make" arguments
RUN set -x \
    \
    && apk add --no-cache --virtual .build-deps \
        ca-certificates \
        gcc \
                perl \
        libc-dev \
        linux-headers \
        lua5.3-dev \
        make \
        pcre2-dev \
        readline-dev \
        tar \
        zlib-dev \
    libxml2-dev 


RUN wget https://www.openssl.org/source/openssl-1.1.0l.tar.gz \
  && tar -zxvf openssl-1.1.0l.tar.gz


RUN cd openssl-1.1.0l/ && ./config --prefix=/usr/local --openssldir=/etc/ssl --libdir=lib \
      shared enable-weak-ssl-ciphers enable-ssl3 enable-tls1 enable-deprecated enable-rc4 enable-ssl3-method -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)'
RUN cd openssl-1.1.0l/ && make 
RUN cd openssl-1.1.0l/ && make install

RUN  wget -O haproxy.tar.gz "$HAPROXY_URL" \
    && echo "$HAPROXY_SHA256 *haproxy.tar.gz" | sha256sum -c \
    && mkdir -p /usr/src/haproxy \
    && tar -xzf haproxy.tar.gz -C /usr/src/haproxy --strip-components=1 \
    && rm haproxy.tar.gz \
    \
    && makeOpts=' \
        TARGET=linux-glibc \
        USE_GETADDRINFO=1 \
        USE_LUA=1 LUA_INC=/usr/include/lua5.3 LUA_LIB=/usr/lib/lua5.3 \
        USE_OPENSSL=1 SSL_INC=/usr/local/include SSL_LIB=/usr/local/lib ADDLIB=-ldl \
        USE_PCRE2=1 USE_PCRE2_JIT=1 \
        USE_ZLIB=1 \
        \
        EXTRA_OBJS=" \
# see https://github.com/docker-library/haproxy/issues/94#issuecomment-505673353 for more details about prometheus support
            contrib/prometheus-exporter/service-prometheus.o \
        " \
    ' \
    && nproc="$(getconf _NPROCESSORS_ONLN)" \
    && eval "make -C /usr/src/haproxy -j '$nproc' all $makeOpts" \
    && eval "make -C /usr/src/haproxy install-bin $makeOpts" \
    \
    && mkdir -p /usr/local/etc/haproxy \
    && cp -R /usr/src/haproxy/examples/errorfiles /usr/local/etc/haproxy/errors \
    && rm -rf /usr/src/haproxy \
    \
    && runDeps="$( \
        scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
            | tr ',' '\n' \
            | sort -u \
            | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
    )" \
    && apk add --no-network --virtual .haproxy-rundeps $runDeps \
    && apk del --no-network .build-deps

# https://www.haproxy.org/download/1.8/doc/management.txt
# "4. Stopping and restarting HAProxy"
# "when the SIGTERM signal is sent to the haproxy process, it immediately quits and all established connections are closed"
# "graceful stop is triggered when the SIGUSR1 signal is sent to the haproxy process"
STOPSIGNAL SIGUSR1

ENV LDAPTLS_REQCERT=never

COPY docker-entrypoint.sh /
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["haproxy", "-f", "/usr/local/etc/haproxy/haproxy.cfg"]

(我没有使用最新的 openssl 版本,因为它没有在容器中编译)

我仍然无法让 haproxy 连接到 ldap 服务器。我可以从容器内部验证与旧 LDAP 服务器的 openssl 连接:

openssl s_client -cipher "ALL:NULL:RC4-MD5:@SECLEVEL=0" -connect 172.16.17.77:636 -ssl3 -CAfile ...

haproxy 对连接的实际问题不太关心(我得到日志输出)。

但是...如果我更改 haproxy 配置以使用与 LDAP 服务器的未加密连接,它就会立即起作用。

有人可以提示我这可能是什么吗或者我该如何进一步调试它?

相关内容