Jump to content


Photo

https reverse proxy and SSL certificates

https reverse proxy ssl certificates

This topic has been archived. This means that you cannot reply to this topic.
5 replies to this topic

#1 Simon Day

Simon Day
  • Members
  • 4 posts

Posted 15 December 2016 - 09:16 AM

Well we have an http and an https reverse proxy configured on our F400 firewall. HTTP works fine but the https is causing us some issues. I've uploaded the SSL certificates to the reverse proxy (the complete chain I think) and the key as well. now we can hit it externally and its opening the pages on the right web server with what appears to be a SSL green padlock. however looking in chrome and at the details its saying its using an obsolete key exchange. Safari refuses to connect saying it cannot establish a secure connection to the server. Internally it works on all devices and browsers so its the https reverse proxy that's causing the issue here.

 

To top it all off trying to use sage pay for payments and it just completely fails and crashing the reverse proxy so no external access is possible until make a configuration change (any change in the reverse proxy just add or remove an IP etc) to being it back to life and allow external access in again.

 

I've had Digicert looking at it and say they can see nothing wrong with the SSL cert and site setup but as of yet still waiting for Barracuda to actually get back to me with anything useful. Anybody come across SSL issues using the reverse proxy service in the NG firewall?

 

Si



#2 Gavin Chappell

Gavin Chappell
  • Moderators
  • 441 posts

Posted 15 December 2016 - 12:30 PM

You can configure some security options on the SSL Settings page (the one above the page where you configured the reverse proxy targets in NG Admin). This allows you to enter a custom OpenSSL-format string to specify which TLS ciphers are accepted by the reverse proxy.

 

Crashing the reverse proxy seems unusual - Sage Pay is a cloud service I believe, so traffic going to Sage Pay shouldn't be going through your reverse proxy anyway?



#3 Simon Day

Simon Day
  • Members
  • 4 posts

Posted 15 December 2016 - 12:38 PM

You can configure some security options on the SSL Settings page (the one above the page where you configured the reverse proxy targets in NG Admin). This allows you to enter a custom OpenSSL-format string to specify which TLS ciphers are accepted by the reverse proxy.

 

Crashing the reverse proxy seems unusual - Sage Pay is a cloud service I believe, so traffic going to Sage Pay shouldn't be going through your reverse proxy anyway?

 

The settings you refer to seem to be only available on forward proxy as I looked at these for that very reason thinking i needed to set the cipher level. Also Sage pay is trying to come back to us and confirm payment and its when they attempt to come in to do the SSL handshake it blows up



#4 dan

dan
  • Members
  • 11 posts

Posted 05 January 2017 - 11:41 AM

what type of reverse proxy? we use an openbsd reverse proxy with naxsi as our waf, and everything works extremely well.



#5 Simon Day

Simon Day
  • Members
  • 4 posts

Posted 05 January 2017 - 11:45 AM

Its the built in Squid engine that the Barracuda comes with. Have had the support team looking ta this now for nearly a month. After a firmware update the iOS and SSL issues has been resolved. however the http and https wont work together to proxy which is annoying me and their tech team. Its a shame as I had both working prior to them working on it just the SSL issues on iOS devices so a simple firmware update may have sorted out my issue and then all been working. but alas with all the changes done now its not. The configuration is right according to Barracuda tech team so its really confusing now.



#6 dan

dan
  • Members
  • 11 posts

Posted 05 January 2017 - 12:05 PM

in all honesty, i've never tried the built-in reverse proxy preferring to use dedicated services for that stuff. if you're interested, i can send you info on how to test.