haproxy SSL/TLS 直通代理不工作?

haproxy SSL/TLS 直通代理不工作?

我想将 haproxy 设置为简单的 tcp 代理。以下是我的配置。当我尝试通过 Thunderbird(将 smtp 指向 ip_of_my_host:8123)或简单的 python 脚本发送电子邮件时,我收到有关证书无效或证书错误的错误。我以为第 4 层根本不关心它。SSL/TLS 不是 L7 功能吗?那么如何正确设置它?

 frontend smtp
  bind *:8123
  mode tcp
  default_backend smtp-backend

  backend smtp-backend
  mode tcp
  server s1 smtp.gmail.com:465

https://serversforhackers.com/c/using-ssl-certificates-with-haproxy

使用 SSL Pass-Through,无需在 HAproxy 中创建或使用 SSL 证书。后端服务器可以处理 SSL 连接,就像堆栈中只有一台服务器且没有负载均衡器一样。

编辑:

  1. python 脚本(https://realpython.com/python-send-email/) 根本不起作用。我收到错误“ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] 证书验证失败:主机名不匹配,证书对‘jenkins’无效。(_ssl.c:1131)”
  2. Thunderbird 询问证书,我允许后就可以通过 haproxy 发送电子邮件
  3. eMClient 与 Thunderbird 相同
  4. Mailbird 运行良好,无需发出任何警报。只需通过 haproxy 发送电子邮件即可。

因此我可以承认直通是有效的,但这取决于应用程序。

以下是输出:openssl s_client -connect 192.168.1.116:8124

CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = smtp.gmail.com
verify return:1
---
Certificate chain
 0 s:CN = smtp.gmail.com
   i:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
 1 s:C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
   i:C = US, O = Google Trust Services LLC, CN = GTS Root R1
 2 s:C = US, O = Google Trust Services LLC, CN = GTS Root R1
   i:C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFUTCCBDmgAwIBAgIQSRYB+y12VG0SAAAAAAWnWjANBgkqhkiG9w0BAQsFADBG
MQswCQYDVQQGEwJVUzEiMCAGA1UEChMZR29vZ2xlIFRydXN0IFNlcnZpY2VzIExM
QzETMBEGA1UEAxMKR1RTIENBIDFDMzAeFw0yMjAzMTcxMTE5MzFaFw0yMjA2MDkx
MTE5MzBaMBkxFzAVBgNVBAMTDnNtdHAuZ21haWwuY29tMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEAwoXST3b7VMOyFK4HgPcsnwBRZXjb0ZRHZK1LrFJn
kPQpzn/R41Q6YGaWhWd7EdF7fM4ufDiPLQeLER59sX6charYaUQ3XQEk9K8SHBvN
2eIP6ZjLb8GK/xq9dK2aaWWVARDciAIllp1IK+gsiLVMNCJWfVayw+4jPAfbIoe/
KqOXz5TdK/p2/PGdgil21f5EpScGLJpi9Vs/RbDg/oJpRfGKcSzzcxSfVvJjrQQo
q/facRtzjIa5fn2rLwOYS+HGdMOkIIGKAlwVUch6FgYfKmg+JNPGaq5M4PAicLYC
andcj63NQgvbPd67Si1gaHoCE75wZln1nwv/zJb8Hzu7NwIDAQABo4ICZjCCAmIw
DgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFHS2ZnkMI1DpD4xSgXjLUmX8jhRiMB8GA1UdIwQYMBaAFIp0
f6+Fze6VzT2c0OJGFPNxNR0nMGoGCCsGAQUFBwEBBF4wXDAnBggrBgEFBQcwAYYb
aHR0cDovL29jc3AucGtpLmdvb2cvZ3RzMWMzMDEGCCsGAQUFBzAChiVodHRwOi8v
cGtpLmdvb2cvcmVwby9jZXJ0cy9ndHMxYzMuZGVyMBkGA1UdEQQSMBCCDnNtdHAu
Z21haWwuY29tMCEGA1UdIAQaMBgwCAYGZ4EMAQIBMAwGCisGAQQB1nkCBQMwPAYD
VR0fBDUwMzAxoC+gLYYraHR0cDovL2NybHMucGtpLmdvb2cvZ3RzMWMzL3pkQVR0
MEV4X0ZrLmNybDCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1ACl5vvCeOTkh8FZz
n2Old+W+V32cYAr4+U1dJlwlXceEAAABf5fRoMMAAAQDAEYwRAIgTH4pY6FHZHdo
mlC7sDEEGlVQKHZOWv0V5qX4fA9Tph4CIHdaggWPpGFZIBDLe4dmRjAr0DwWmwny
gQ1JjsTG6q5+AHYAQcjKsd8iRkoQxqE6CUKHXk4xixsD6+tLx2jwkGKWBvYAAAF/
l9Gg8gAABAMARzBFAiBgHDhRWJ8a0jA72hxlRfFUNrQaKqwloW5rltsuRp1E4wIh
AOeFjPUuzL82QRgMzzZ/xA9JtiLM16CTMnFkSmMEmc9BMA0GCSqGSIb3DQEBCwUA
A4IBAQD0JS9BZ+M0kltH4suc75AKXIwPU7qvdf4pYQLeYr0SQb2tV3wBukPpzS/U
3rZIWhxw09Pl9/AmT+Zq2jlZSlhsOMUy+G/k8YXKXgubmqxshbzT20WZrfbwjMxU
wEkDqUulDCwAp6foHRmq4Fpev2jfyw5YiES4ckgwbVfYSoX4+KcSZJo8FNgP83r/
66wsNSR8SP9Irb2bXdsyS0VYh9XkuFyNiA21YAajfJe67i5zDKRWHqwfIBTRgd+J
uOMxobxHDFksjSa6/jrA5meI2k549uraj3C8kvF0H7gQmj4gC7T+BIgZNC8ktkop
/gNu7ubTqU/7jBt/TxvAQRnQASZN
-----END CERTIFICATE-----
subject=CN = smtp.gmail.com

issuer=C = US, O = Google Trust Services LLC, CN = GTS CA 1C3

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4681 bytes and written 363 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: B92656EA56305FBE58002428D4E3A798D6E2C771989210B180A04AA8956ADFD6
    Session-ID-ctx:
    Resumption PSK: E35D5877C3D7768E597B3E977E6699ABE845D0B0F1EEF12C59914BAA062E7B1BFD523C9E2C89D13EAE4F691FB4A755A9
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 172800 (seconds)
    TLS session ticket:
    0000 - 01 5f fd b4 ca df f2 bc-32 6e 8b 6b 4c 91 2a c2   ._......2n.kL.*.
    0010 - d1 3f a5 73 2c 56 6f e0-ce 0d 33 39 c1 21 f1 42   .?.s,Vo...39.!.B
    0020 - 29 73 14 4c 1e e4 ce 9d-a5 0f 5a 65 49 72 b6 0f   )s.L......ZeIr..
    0030 - 6b d5 f4 68 cd ba 7c 46-71 f2 e6 8e f9 54 49 5b   k..h..|Fq....TI[
    0040 - 1a 71 fd 6e 8e 19 a5 93-80 30 38 28 6d db 27 57   .q.n.....08(m.'W
    0050 - a6 86 aa 6c 4d ab 01 1a-2b a9 62 d0 a5 d5 94 58   ...lM...+.b....X
    0060 - 02 62 8a c1 89 46 ea bc-53 57 92 c5 b7 72 11 32   .b...F..SW...r.2
    0070 - e6 05 22 e2 88 6c 46 4a-bf 5d 06 17 2f 49 86 aa   .."..lFJ.]../I..
    0080 - 89 37 4e 48 88 1f 57 32-61 ac ea d6 91 d6 07 85   .7NH..W2a.......
    0090 - 18 63 0e bd bb f2 25 03-05 8c 4e bb 90 8e 3f 12   .c....%...N...?.
    00a0 - 69 54 97 e9 23 64 7c 26-91 39 f1 05 db 92 2a f7   iT..#d|&.9....*.
    00b0 - eb 6f 42 51 19 73 33 29-92 52 1d a9 99 60 a8 f8   .oBQ.s3).R...`..
    00c0 - 14 78 21 50 d0 37 36 62-3c 70 2f c7 41 cf cd 5d   .x!P.76b<p/.A..]
    00d0 - a3 b0 d7 1a 0f b5 b2 7a-7b dc 2b 10 af ae 68 94   .......z{.+...h.
    00e0 - 8d 59 d3 7d a7 dd fb 2e-8a ff c2 9e               .Y.}........

    Start Time: 1648990924
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: 19DC37EC5E7DC298C40A28812BACBBAF30D53BEB2B53EDC681BB32847542F93E
    Session-ID-ctx:
    Resumption PSK: 13A0BEF271F8B729BBC484EA4DB724F3D28EE3A225D210B9C7EC5056EE86656B234BBD45E405CF7791EB5E1F45A48366
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 172800 (seconds)
    TLS session ticket:
    0000 - 01 5f fd b4 ca df f2 bc-32 6e 8b 6b 4c 91 2a c2   ._......2n.kL.*.
    0010 - c1 f4 fe 02 6c 1e ab 8d-e6 a4 6a 16 d8 eb c6 d7   ....l.....j.....
    0020 - 2f 9b e4 87 ed 76 73 ae-2b c7 a7 36 81 a0 64 1a   /....vs.+..6..d.
    0030 - 58 39 67 9c 2d bd be 74-b4 05 6a d8 a4 73 02 81   X9g.-..t..j..s..
    0040 - a5 13 2f 3f 83 f6 9f 57-49 61 41 b3 64 52 e2 8f   ../?...WIaA.dR..
    0050 - 2d 0c 36 af b2 bb c8 3d-21 77 9b 0f 06 8d 55 c2   -.6....=!w....U.
    0060 - 6b 02 d1 05 dd 7c 51 70-f3 ee c2 66 07 1c 53 d9   k....|Qp...f..S.
    0070 - b7 6d 52 28 8e 5b 76 53-3d 07 3c 3c 4c ab f6 31   .mR(.[vS=.<<L..1
    0080 - 76 f9 a9 a2 ee a2 65 24-7d 2e 9a 6c 9a 4d 5d bd   v.....e$}..l.M].
    0090 - 80 4f 37 32 b8 59 d3 b7-e1 ae 54 15 61 0a d6 e3   .O72.Y....T.a...
    00a0 - b8 7c bf 0f c6 47 74 64-71 42 fe 03 13 3b 0c 87   .|...GtdqB...;..
    00b0 - 0c 7f e7 3c 10 93 b9 d9-33 26 6b 6c f1 c4 c2 89   ...<....3&kl....
    00c0 - 18 75 b2 c7 11 8a 64 1b-09 36 56 00 27 9e d0 30   .u....d..6V.'..0
    00d0 - 7e f1 1e e5 f4 cc 15 ba-0c 41 ee 28 13 3b c8 33   ~........A.(.;.3
    00e0 - 79 d6 a0 e5 59 61 03 53-da 91 7b 32               y...Ya.S..{2

    Start Time: 1648990924
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
220 smtp.gmail.com ESMTP a3-20020a195f43000000b0044a997dea6bsm821316lfj.288 - gsmtp

答案1

由于您将连接传递到 Gmail,客户端也会获得 Gmail 证书,该证书显然仅对 Gmail 主机有效。

证书必须包含您要连接的主机名,否则无效。

由于 Gmail 证书既不包含您的 IP 地址也不包含任何主机名,因此从客户端的角度来看它是无效的。

您需要配置本地 DNS 服务器以将 smtp.gmail.com 解析为您自己的 IP 地址,或者您需要在 haproxy 上实现 SSL 终止。

相关内容