在HAProxy上提供LDAPS查找，无法在测试中绑定 [英] Serving LDAPS lookups over HAProxy, unable to bind in testing

问题描述

所以我有一个带有DC的子域，我正在尝试设置HAProxy以用于SSL终止。所以我的问题是HAProxy在尝试连接和绑定到*ldaps时在LDP.exe中出现错误。**tech.com：

Server error: <empty>
53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
    {NtAuthIdentity: User='bh-test'; Pwd=<unavailable>; domain = '****tech.com'}
Error <81>: ldap_bind_s() failed: Server Down.
Server error: <empty>

我可以很好地ping服务器，并且端口636已打开并正在等待。我正在使用一个在该域上具有域管理员权限的用户的凭据。 HAProxy服务器实际上为两个域提供了ACL，而另一个域工作得很好。 这是我的Haproxy.cfg：

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    maxconn 2048
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3
    tune.ssl.default-dh-param 2048

defaults
    log global
    mode    http
    option  httplog
    option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

# Enabling HAProxy Stats
listen  stats
    bind    :8404
        mode    http
        log global
        maxconn 10
        stats enable
        stats refresh 30s
        stats show-node
        stats auth user:password
        stats uri  /haproxy?stats

# LDAPS
frontend ldaps_frontend
  mode                  tcp
  log                   global
  bind                  *:636 ssl crt /etc/ssl/private/hap/
  description           LDAPS Service
  option                tcplog
  option                logasap
  option                socket-stats
  option                tcpka
  timeout client        60s
  acl host_j hdr(host) -i j.com
  acl host_*** hdr(host) -i ***tech.com
  use_backend j_ldaps if host_j
  use_backend e*** if host_***

# Enzian Stuff
frontend https-in
  bind          *:443 ssl crt /etc/ssl/private/hap/
  mode          http
  description       ***Tech
  option        socket-stats
  default_backend   ***_https
  option        tcplog


backend j_ldaps
  mode          tcp
  balance       leastconn
  server                dc01 x.x.x.x:636 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
  server                dc02 x.x.x.x:636 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
  timeout server        60s
  timeout connect       60s
  option                tcpka
  option                tcp-check
  tcp-check             connect port 636 ssl
  tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple
  tcp-check send-binary 01 # message ID
  tcp-check send-binary 6007 # protocol Op
  tcp-check send-binary 0201 # bind request
  tcp-check send-binary 03 # LDAP v3
  tcp-check send-binary 04008000 # name, simple authentication
  tcp-check expect binary 0a0100 # bind response + result code: success
  tcp-check send-binary 30050201034200 # unbind request

backend ***
  mode          tcp
  balance       leastconn
#  server       dc01.***tech.com x.x.x.x:636 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
  server        dc02.***tech.com x.x.x.x:636 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
  timeout server    60s
  timeout connect   60s
  option        tcpka
  option        tcp-check
  tcp-check             connect port 636 ssl
  tcp-check send-binary 300c0201 # LDAP bind request "<ROOT>" simple
  tcp-check send-binary 01 # message ID
  tcp-check send-binary 6007 # protocol Op
  tcp-check send-binary 0201 # bind request
  tcp-check send-binary 03 # LDAP v3
  tcp-check send-binary 04008000 # name, simple authentication
  tcp-check expect binary 0a0100 # bind response + result code: success
  tcp-check send-binary 30050201034200 # unbind request

backend ***_https
  mode          http
  balance       leastconn
  server        subca02.***tech.com x.x.x.x:443 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
#  server       dc01.***tech.com x.x.x.x:636 maxconn 100 check ssl fall 1 rise 1 inter 2s verify none check check-ssl
  option        httpchk OPTIONS / HTTP/1.1

使用的凭据已经过DBL检查，此DC上没有本地防火墙，两个主机之间也没有防火墙，因此我相当困惑。 任何建议都将不胜感激！！

推荐答案

http工作负载的hdr(host)列表，使用模式tcp不发送。
hdr()

我将尝试使用req.ssl_sni进行路由，如How does the SNI Routing works in HAProxy和Enhanced SSL Load Balancing with Server Name Indication (SNI) TLS Extension

中所述

此处是未经测试的代码片段

frontend ldaps_frontend
  mode                  tcp
  log                   global
  bind                  *:636 ssl crt /etc/ssl/private/hap/
  description           LDAPS Service
  option                tcplog
  option                logasap
  option                socket-stats
  option                tcpka
  timeout client        60s

  acl host_j   req.ssl_sni -i j.com
  acl host_*** req.ssl_sni -i ***tech.com

  use_backend j_ldaps if host_j
  use_backend e*** if host_***

这篇关于在HAProxy上提供LDAPS查找，无法在测试中绑定的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！