Making Teleport's TLS routing/multiplexing work behind a HAProxy reverse proxy

[eric-belhomme]

On a public instance with a single IP address, I wanted to share HTTPS between an existing Apache HTTPd server, and Teleport auth/proxy services

As explained on the TLS routing it is possible to put a reverse proxy in front of Teleport that inspects TLS ClientHello messages in SNI to correctly split incoming traffic destined for Teleport's web interface or its other listeners apart from traffic destined for another upstream service - all without terminating TLS at any point, allowing Teleport to effectively coexist on port 443 with an existing reverse proxy.

This was already explained discussion #19093 using nginx and its stream mode, but I wanted to achieve the same results using HAProxy in tcp mode as a replacement of nginx.

Prerequisites

• A working Teleport cluster configured in TLS routing mode (config version: v2+ with proxy_listener_mode: multiplex)
• Trusted TLS configured for your cluster with a trusted certificate (i.e. from Let's Encrypt using certbot)
• haproxy
• anything that can serve HTTPS traffic (Apache, nginx, tomcat, or whatever) I'm using Apache with some VirtualHosts configured to serve some websites. The important fact is that this server will not bind on HTTPS port, but on an alternate port (in my case 9443/tcp)
• a well configured DNS for your zones, pointing on HAproxy IP address

Teleport configuration

This is a typical Teleport setup with auth and proxy services enabled for TLS multiplex:

teleport:
  log:
    output: stderr
    severity: INFO

auth_service:
  enabled: yes
  proxy_listener_mode: multiplex

ssh_service:
  enabled: yes

proxy_service:
  enabled: yes
  # if teleport is running on the same machine, this needs to be a non-443 port so you can redirect traffic from nginx to teleport

  listen_addr: 0.0.0.0:3023
  web_listen_addr: 0.0.0.0:3080
  # this is the address used to connect to your cluster from outside
  public_addr: teleport.example.com:443
  https_keypairs:
    - key_file: /etc/letsencrypt/live/teleport.example.com/privkey.pem
      cert_file: /etc/letsencrypt/live/teleport.example.com/fullchain.pem

HAProxy configuration

The HAProxy configuration is directly inspired from this HAProxy's blog article

frontend main
    bind *:443
    mode tcp
    option tcplog
    log global
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    default_backend back_ssl

backend back_ssl
    mode tcp
    option ssl-hello-chk

    # Teleport SNI's can end with your own domain name _or_ the internally used '*.teleport.cluster.local'
    acl is_teleport_sni_wc req_ssl_sni -m end -i teleport.example.com
    acl is_teleport_sni_cluster req_ssl_sni -m end -i teleport.cluster.local

    # we route to Teleport server if we found any SNI matching, 
    # otherwise apache server will be used
    use-server apache unless is_teleport_sni_wc || is_teleport_sni_cluster
    use-server teleport if is_teleport_sni_wc || is_teleport_sni_cluster
	
    server apache 127.0.0.1:9443 check
    server teleport 127.0.0.1:3080 check

[webvictim]

Thank you for the write-up!