时间戳

首页 > 解决方案 > 通过 HAProxy 提供 LDAPS 查找,无法在测试中绑定

ssl - 通过 HAProxy 提供 LDAPS 查找,无法在测试中绑定

问题描述

所以我有一个带有 DC 的子域,我正在尝试为 SSL 终止设置 HAProxy。所以我的问题是 HAProxy 在尝试连接并绑定到 *ldaps.** tech.com 时在 LDP.exe 中出现错误

Server error: <empty>
53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
    {NtAuthIdentity: User='bh-test'; Pwd=<unavailable>; domain = '****tech.com'}
Error <81>: ldap_bind_s() failed: Server Down.
Server error: <empty>

我可以很好地 ping 服务器,并且端口 636 已打开并等待。而且我正在使用该域上具有域管理员权限的用户的凭据。HAProxy 服务器实际上为两个域提供了 ACL,而另一个域运行良好。这是我的 Haproxy.cfg:

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    maxconn 2048
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3
    tune.ssl.default-dh-param 2048

defaults
    log global
    mode    http
    option  httplog
    option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

# Enabling HAProxy Stats
listen  stats
    bind    :8404
        mode    http
        log global
        maxconn 10
        stats enable
        stats refresh 30s
        stats show-node
        stats auth user:password
        stats uri  /haproxy?stats

# LDAPS
frontend ldaps_frontend
  mode                  tcp
  log                   global
  bind                  *:636 ssl crt /etc/ssl/private/hap/
  description           LDAPS Service
  option                tcplog
  option                logasap
  option                socket-stats
  option                tcpka
  timeout client        60s
  acl host_j hdr(host) -i j.com
  acl host_*** hdr(host) -i ***tech.com
  use_backend j_ldaps if host_j
  use_backend e*** if host_***

# Enzian Stuff
frontend https-in
  bind          *:443 ssl crt /etc/ssl/private/hap/
  mode          http
  description       ***Tech
  option        socket-stats
  default_backend   ***_https
  option        tcplog


backend j_ldaps
  mode          tcp
  balance       leastconn
  server                dc01 x.x.x.x:636 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
  server                dc02 x.x.x.x:636 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
  timeout server        60s
  timeout connect       60s
  option                tcpka
  option                tcp-check
  tcp-check             connect port 636 ssl
  tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple
  tcp-check send-binary 01 # message ID
  tcp-check send-binary 6007 # protocol Op
  tcp-check send-binary 0201 # bind request
  tcp-check send-binary 03 # LDAP v3
  tcp-check send-binary 04008000 # name, simple authentication
  tcp-check expect binary 0a0100 # bind response + result code: success
  tcp-check send-binary 30050201034200 # unbind request

backend ***
  mode          tcp
  balance       leastconn
#  server       dc01.***tech.com x.x.x.x:636 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
  server        dc02.***tech.com x.x.x.x:636 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
  timeout server    60s
  timeout connect   60s
  option        tcpka
  option        tcp-check
  tcp-check             connect port 636 ssl
  tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple
  tcp-check send-binary 01 # message ID
  tcp-check send-binary 6007 # protocol Op
  tcp-check send-binary 0201 # bind request
  tcp-check send-binary 03 # LDAP v3
  tcp-check send-binary 04008000 # name, simple authentication
  tcp-check expect binary 0a0100 # bind response + result code: success
  tcp-check send-binary 30050201034200 # unbind request

backend ***_https
  mode          http
  balance       leastconn
  server        subca02.***tech.com x.x.x.x:443 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
#  server       dc01.***tech.com x.x.x.x:636 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
  option        httpchk OPTIONS / HTTP/1.1

使用的凭据已经过 dbl-checked,这个 DC 上没有本地防火墙,两个主机之间没有防火墙,所以我很迷茫。任何建议表示赞赏!

标签: sslreverse-proxyhaproxy

解决方案

用于 http 工作负载的hdr(host)ist,不使用模式 tcp发送。
人类发展报告()

我会尝试使用req.ssl_sni路由,如SNI 路由在 HAProxy 中的工作原理具有服务器名称指示 (SNI) TLS 扩展的增强型 SSL 负载平衡中所述

这里是未经测试的snipplet

frontend ldaps_frontend
  mode                  tcp
  log                   global
  bind                  *:636 ssl crt /etc/ssl/private/hap/
  description           LDAPS Service
  option                tcplog
  option                logasap
  option                socket-stats
  option                tcpka
  timeout client        60s

  acl host_j   req.ssl_sni -i j.com
  acl host_*** req.ssl_sni -i ***tech.com

  use_backend j_ldaps if host_j
  use_backend e*** if host_***

推荐阅读