Skip to content
This repository has been archived by the owner on Dec 7, 2020. It is now read-only.

buggy behaviour on ssl handshake fail with cloudflare #69

Closed
rvion opened this issue May 8, 2016 · 10 comments
Closed

buggy behaviour on ssl handshake fail with cloudflare #69

rvion opened this issue May 8, 2016 · 10 comments
Assignees
@gambol99

Comments

@rvion
Copy link
Contributor

rvion commented May 8, 2016
edited
Loading

in my setup, ssl for both stuff.rvion.fr and keycloak-proxy.rvion are provided by cloudflare
image

when I run keycloak-proxy with

    --discovery-url=https://auth.rvion.fr/auth/realms/master/.well-known/openid-configuration \
    --listen=:8443 \
    --client-id=stuff \
    --upstream-url=https://stuff.rvion.fr/ \
    --redirection-url=https://keycloak-proxy.rvion.fr:8443/ \
    --client-secret=plop \
    --resource="uri=/" \
    --secure-cookie=false \
    --encryption-key=AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j \
    --enable-refresh-tokens=true \
    --verbose=true

and when I contact https://keycloak-proxy.rvion.fr:8443/,

cloudflare error page "ssl handshake fail" appears and refresh every ~0.5 seconds

keycloak-proxy log says:

nothing
@rvion rvion changed the title keycloak-proxy doesn't work behind cloudflare proxy buggy behaviour on ssl handshake fail with cloudflare May 8, 2016
@rvion
Copy link
Contributor Author

rvion commented May 8, 2016

adding --skip-upstream-tls-verify=true doesn't change anything neither

@rvion
Copy link
Contributor Author

rvion commented May 8, 2016
edited
Loading

actually, there seems to be several other errors related to cloudflare.

here is a minimal example.
I have 2 cloudflare dns entries:
image
both point to the same ip, one has a "orange cloud" (that means it go though the cloudflare proxy)

it does not wotk (ERR_CONNECTION_TIMED_OUT) with the one behind cloudflare proxy

    --redirection-url=http://jk.rvion.fr:4000/

but it works great with the other

    --redirection-url=http://jk2.rvion.fr:4000/

@rvion
Copy link
Contributor Author

rvion commented May 8, 2016

@gambol99 tell me if I can help to solve this.
I can give you an ssh access to a machine with 2 dns entries like in the picture above if it helps

@gambol99 gambol99 added the bug label May 8, 2016
@gambol99 gambol99 self-assigned this May 8, 2016
@gambol99
Copy link
Contributor

gambol99 commented May 8, 2016

admittedly it was never tested again a different domain for upstream .. I believe is could be related to golang/go#7618 ... I raised a PR #70

@gambol99
Copy link
Contributor

gambol99 commented May 9, 2016

@rvion .. did this fix the issue your having?

@rvion
Copy link
Contributor Author

rvion commented May 9, 2016

I'll try later today asap

@rvion
Copy link
Contributor Author

rvion commented May 10, 2016

@gambol99 no, it's not solved

Let I recap my problem with my new findings:
(I may be doing something wrong)

setup

here is my dns entries as they appear on cloudflare

image

image

in reality, when the cloud is yellow, it means that cloudflare act as a https-reverse proxy with security layers, cdn features, ddos mitigation, etc.

image

(here, we see that xxx is the ip of cloudflare)

on 128.199.43.105 (upstream-nocf, upstream-cf), I have a web-app
I can access it via

but not

because the ssl certificates comes from cloudflare proxy.

those work:

    --listen=:8080 \
    --upstream-url=http://upstream-nocf.rvion.fr/ \
    --redirection-url=http://keycloakproxy-nocf.rvion.fr:8080/ \

    --listen=:8080 \
    --upstream-url=http://upstream-cf.rvion.fr/ \
    --redirection-url=http://keycloakproxy-nocf.rvion.fr:8080/ \

    --listen=:8080 \
    --upstream-url=https://upstream-cf.rvion.fr/ \
    --redirection-url=http://keycloakproxy-nocf.rvion.fr:8080/ \

    --listen=:8080 \
    --upstream-url=http://upstream-nocf.rvion.fr/ \
    --redirection-url=http://keycloakproxy-cf.rvion.fr:8080/ \

but this fails

    --listen=:8443 \
    --upstream-url=http://upstream-nocf.rvion.fr/bin \
    --redirection-url=https://keycloakproxy-cf.rvion.fr:8443/ \

when I access https://keycloakproxy-cf.rvion.fr:8443/
I see the cloudflare page:

Error 525 - SSL handshake failed,

and the page refresh itself twice per seconds.

I know that I didn't configure ssl terminaison on keycloak-proxy, but cloudflare should act as and https reverse proxy, and keycloak-proxy should see the redirection as if it was sent over http, am I wrong?

doc for "flexible ssl" feature of cloudflare is here:
image

Flexible SSL: secure connection between your visitor and CloudFlare, but no secure connection between CloudFlare and your web server. You don't need to have an SSL certificate on your web server, but your visitors still see the site as being HTTPS enabled. This option is not recommended if you have any sensitive information on your website. It should only be used as a last resort if you are not able to setup SSL on your own web server, but it is less secure than any other option (even “Off”), and could even cause you trouble when you decide to switch away from it:

cloudflare has an artcile about this very redirection cycle problem: https://support.cloudflare.com/hc/en-us/articles/203487280--How-do-I-fix-the-infinite-redirect-loop-error-after-enabling-Flexible-SSL-with-WordPress-

when this problem occurs,

nothing is printed on keycloak-proxy log

cloudflare website says:

It appears that the SSL configuration used is not compatible with CloudFlare. This could happen for a several reasons, including no shared cipher suites. Additional troubleshooting information here: https://support.cloudflare.com/hc/en-us/articles/200278659

https://support.cloudflare.com/hc/en-us/articles/200278659 says:

A 525 error states that the SSL handshake between CloudFlare and the origin server that hosts the domain failed. This means that CloudFlare is set to use Full SSL in the CloudFlare settings for the domain, so CloudFlare attempts to make a connection using SSL (for requests beginning in https://) to server that hosts the domain.

Likely reasons for this failure include:
The origin server does not support or is not configured properly for SNI.
The cipher suites that CloudFlare accepts and the cipher suites that the origin server uses do not match.
The origin server is not configured to use SSL and Full SSL is enabled in the CloudFlare settings.

@rvion
Copy link
Contributor Author

rvion commented May 10, 2016

maybe the fact I use ports 8443 conflicts with the "flexible ssl" feature (https://support.cloudflare.com/hc/en-us/articles/200169156-Which-ports-will-CloudFlare-work-with-)
Indeed, maybe cloudflare thinks it has to talk to keycloak-proxy via https.

@gambol99 Maybe all this thread is just an XyProblem... all I wanted was to re-use flexible ssl offered by cloudflare, and mix it with keycloak-proxy so I can secure my websites very easilly

@gambol99
Copy link
Contributor

@rvion .. Admittedly, I never used cloudflare ... do you see traffic hit the proxy on the redirect or just curl -kv https://keycloakproxy-cf.rvion.fr:8443?, tcpdump? ... does CF perform any health checks on the upstream? perhaps a 307 would label the origin as down

@rvion
Copy link
Contributor Author

rvion commented May 14, 2016
edited
Loading

I didn't see traffic hit the proxy on the redirect.
I don't have my setup right now, but I will report more informations soon.
please, feel free to assign myself so I won't forget to come back to you here

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@gambol99 gambol99

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rvion @gambol99