HAProxy for offloading TLS [split by mod from 'Server hacked' topic]

@dicko, it sounds like you have HAProxy terminating TLS in front of unencrypted (TCP) SIP?

I was hoping to do the same, as I mention in the linked forum post, but was having an issue where the Contact Asterisk sends to initiate the second leg is…
“sip:NAME@DOMAIN:5061;transport=TCP”
My Linphone client then tries responding with TCP through HAProxy which breaks the call.

Do you have a workaround for this scenario? Or are using not using HAProxy in this way?

Also, I never thought of the strict-sni to stop IP:port scanning bots, thanks for that idea! I assume the following would work?

listen SIPS
    mode tcp
    bind :5061 ssl strict-sni crt /PATH/TO/CERT.PEM
    server SIP IP:5060

show us your frontend/backend stanzas

For HAProxy?

listen SIPS
    mode tcp
    bind :5061 ssl crt /PATH/TO/CERT.PEM
    server SIP IP:5060

use frontend/backend not listen, sometrhing like

frontend SIPS
mode tcp
bind *:5061 ssl strict-sni crt /etc/haproxy/certs/

.
.
acl sips ssl_fc_sni sips.you.com
use_backend sips if sips
.
.

and the backend

backend sips
mode tcp
server sips 127.0.0.1:5060
:

Sounds good. I think I got strict SNI pretty much working now.

Does your PBX behind HAProxy send out correct “Contact” headers? Mine sends sip:USER@IP:5061;transport=TCP, so my Linphone client doesn’t work as expected.
Thanks

I don’t use linphone, never had that problem

Ok, makes sense. Linphone is respecting the Contact Header, instead of just using the existing connection. I think Asterisk used the existing connection to send its INVITE because I have rewrite_contact=yes.

I guess I’ll try out a few different Softphones and see if any work with my current configuration. Thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.