[SOLVED] SSL Issue with HAproxy

Need help? Post your questions here.

Moderator: moderators

[SOLVED] SSL Issue with HAproxy

Postby insann » Sat Nov 14, 2015 6:46 pm

Hi,
i got a bug to report and i need some help to fix it !
First :
Subsonic working fine (http)
Haproxy working fine , used as reverse proxy ( don't like apache2 )
both Apps are working on different machines !

what i want to do is :
{NET} HTTPS => HTTPS Frontend >[ HAPROXY ]> HTTP Backend=> [SUBSONIC] HTTP

so everything works fine at setting up Haproxy but after connecting to Subsonic with HTTPS,some pages don't show up. (nowPlaying.jsp)

and here a picture :
Image

And after going on Now playing :
Image

line of logs ( subsonic_sh.log ) ( does this may be the solutions error ? )
Code: Select all
[Fatal Error] :1183:73: XML document structures must start and end within the same entity.


thanks

Insann
Last edited by insann on Wed Jun 08, 2016 12:34 pm, edited 1 time in total.
insann
 
Posts: 39
Joined: Sat Nov 14, 2015 6:37 pm

Re: SSL Issue with HAproxy

Postby insann » Wed Nov 18, 2015 3:46 pm

I tryed with madsonic and its same probleme ! but madsonic has another blank page with settings !

HELP !
insann
 
Posts: 39
Joined: Sat Nov 14, 2015 6:37 pm

Re: SSL Issue with HAproxy

Postby insann » Sun Feb 14, 2016 4:00 pm

UP !!

The problem is that browser can't display mixed content if host aren't same ! ( using a VM )

i need some help plz !
insann
 
Posts: 39
Joined: Sat Nov 14, 2015 6:37 pm

Re: SSL Issue with HAproxy

Postby frnx » Tue Feb 16, 2016 10:47 pm

  • What OS are you using?
  • What version of Subsonic?

How about Nginx? On my server, location /subsonic { proxy_pass http://127.0.0.1:4040; } is almost all it takes for it to use the same TLS configuration as all my other web services. I doubt HAProxy is that much different, although I have never used it.

How about Tomcat or some other app container? They might be easier to configure, and AFAIK the Jetty web server that's currently bundled in Subsonic distributions is already using antiquated crypto that's raising those DH warnings all over the place.
frnx
 
Posts: 44
Joined: Sun May 31, 2015 8:30 pm

Re: SSL Issue with HAproxy

Postby insann » Wed Feb 17, 2016 3:21 pm

I'm Using Debian for the server : debian 8 - Java 8
Subsonic is latest Stable 5.3 contextpath /audio
and client config is : windows 7 Firefox ( but don't necessarily useful ! )

I think i could do with haproxy the same as nginx !
Yeah maybe rethinking to use tomcat ! but deb package are so practice !

i don't thinks using an other systeme may work for ssl : and i guess the only possible way is to add 1 more proxy reverse with nginx haproxy or apache on the subsonic VM and adding ssl here !

Looks like this then :
0.0.0.0 => haproxy (host) => haproxy ( Subsonic VM) => Subsonic Port

But i don't like putting many private keys on different place of my server and specially on a web app like subsonic ( no offense ) !

Thanks for help ^^

Insann
insann
 
Posts: 39
Joined: Sat Nov 14, 2015 6:37 pm

Re: SSL Issue with HAproxy

Postby djbon2112 » Sun Mar 27, 2016 6:16 pm

Hello!

I'm having this exact same problem. I'm using HAProxy as a front-end to handle SSL stripping and some URL redirection for my Subsonic 5.3 instance.

Subsonic is running on Debian Jessie with OpenJDK 7 in HTTP mode at the address: sub.i.domain.com:8080. The HAProxy is in the same network, and translates the public URL: https://media.domain.com/music

I have the SSL stripping (LetsEncrypt cert) and URL rewriting working with the following configs:

HAProxy:
Code: Select all
frontend front_media_443
    bind 10.0.0.2:443 ssl crt /etc/ssl/media.pem
    mode http
    acl url_sub path_beg /music
    use_backend back_sub-http if url_sub
backend back_sub-http
    mode http
    server sub.i.domain.com 10.9.0.3:8080 check


/etc/default/subsonic:
Code: Select all
SUBSONIC_ARGS="--max-memory=1792 --port=8080 --context-path=/music"


As mentioned this seems to work, and does in fact for a number of other services I'm running through the same HAProxy instance, but with Subsonic I'm getting different problems in different browsers.

In Firefox 44.0.2, I get warnings about mixed content, and the inner frame (i.e. where it says "Welcome to Subsonic!" on the home page) is blocked. However viewing the source, every script link is relative, so I'm not sure where the mixed content actually is? As soon as I disable the blocking, everything works perfectly. No errors are evident in either subsonic.log or subsonic_sh.log.

In Chrome 49, I get the same problem as described by OP: various pages don't show up. When first loading, the home page described above is blank, but a refresh loads it. As well, trying to visit the Settings page doesn't even work (the link never loads). I don't seem to get any explicit errors/blocking like I do in Firefox though. No errors are evident in either subsonic.log or subsonic_sh.log.

I suspect there is indeed something fishy going on within Subsonic when running in HTTP mode with an HTTPS proxy in front of it. Does anyone have any advice?
djbon2112
 
Posts: 4
Joined: Sun Jul 06, 2014 2:01 am

Re: SSL Issue with HAproxy

Postby djbon2112 » Mon Mar 28, 2016 7:09 pm

djbon2112 wrote:<snip> I suspect there is indeed something fishy going on within Subsonic when running in HTTP mode with an HTTPS proxy in front of it. Does anyone have any advice?


Checking further in FF, it seems like the entire inner page is being loaded as HTTP rather than HTTPS.

It seems like the best solution would be to have an option somewhere in Subsonic to specify "this is behind HTTPS" without actually enabling HTTPS (and hence requiring a cert, etc. installed on the Subsonic server), thus changing the internal links to their HTTPS version. Is that easily doable?

EDIT: I went through the source with my grep-fu looking for something obvious, but I don't see anything.
djbon2112
 
Posts: 4
Joined: Sun Jul 06, 2014 2:01 am

Re: SSL Issue with HAproxy

Postby djbon2112 » Sun Apr 17, 2016 5:35 pm

djbon2112 wrote:
djbon2112 wrote:<snip> I suspect there is indeed something fishy going on within Subsonic when running in HTTP mode with an HTTPS proxy in front of it. Does anyone have any advice?


Checking further in FF, it seems like the entire inner page is being loaded as HTTP rather than HTTPS.

It seems like the best solution would be to have an option somewhere in Subsonic to specify "this is behind HTTPS" without actually enabling HTTPS (and hence requiring a cert, etc. installed on the Subsonic server), thus changing the internal links to their HTTPS version. Is that easily doable?

EDIT: I went through the source with my grep-fu looking for something obvious, but I don't see anything.


Did even more searching in the source today and still turning up nothing. Are any devs able to comment on whether there's something in the source that could be set to take care of this (i.e. make Subsonic think it's all-HTTPS when just listening on HTTP)? In most webapps I've deployed there's an "external URL" option that the app takes as authoritative for what it's proper URL is, so that e.g. internal frames are loaded with the proper external URL; Subsonic has it's --context-path option, but could that perhaps be expanded into a full URL option? From my brief checks I'm not sure how feasible that would be.
djbon2112
 
Posts: 4
Joined: Sun Jul 06, 2014 2:01 am

Re: SSL Issue with HAproxy

Postby djbon2112 » Mon Apr 18, 2016 3:20 am

djbon2112 wrote:
djbon2112 wrote:
djbon2112 wrote:<snip> I suspect there is indeed something fishy going on within Subsonic when running in HTTP mode with an HTTPS proxy in front of it. Does anyone have any advice?


Checking further in FF, it seems like the entire inner page is being loaded as HTTP rather than HTTPS.

It seems like the best solution would be to have an option somewhere in Subsonic to specify "this is behind HTTPS" without actually enabling HTTPS (and hence requiring a cert, etc. installed on the Subsonic server), thus changing the internal links to their HTTPS version. Is that easily doable?

EDIT: I went through the source with my grep-fu looking for something obvious, but I don't see anything.


Did even more searching in the source today and still turning up nothing. Are any devs able to comment on whether there's something in the source that could be set to take care of this (i.e. make Subsonic think it's all-HTTPS when just listening on HTTP)? In most webapps I've deployed there's an "external URL" option that the app takes as authoritative for what it's proper URL is, so that e.g. internal frames are loaded with the proper external URL; Subsonic has it's --context-path option, but could that perhaps be expanded into a full URL option? From my brief checks I'm not sure how feasible that would be.


I ended up solving this in a bit of a roundabout way, but it seems to work.

In Subsonic, I changed it to listen on SSL on the same port (8080); no certificate specified. In HAProxy, I set the backend to use SSL with no certificate verification:

Code: Select all
backend back_sub-http
    mode http
    server sub.i.domain.net    10.9.0.3:8080 check ssl verify none


This means that the connection between HAProxy and Subsonic is using the invalid default Subsonic cert, but in my case I don't care since that traffic would be unencrypted in my previous configuration anyways. And my clients still see my valid SSL cert from the HAProxy frontend. I would still prefer proper support for this in the Subsonic backend, but for now I'm happy.
djbon2112
 
Posts: 4
Joined: Sun Jul 06, 2014 2:01 am


Return to Help

Who is online

Users browsing this forum: No registered users and 26 guests