How to proxy LDAP protocol with TLS termination

[brbcza]

Hi,
I am trying to create a reverse proxy for openldap server with TLS termination. For testing I am using self signed certificate generated by caddy.

My Caddyfile

{
    layer4 {
	127.0.0.1:636 {
	    route {
	        tls      
		proxy {
                    upstream 127.0.0.1:389
                }
	    }
	}
    }
}

127.0.0.1 {
    tls internal
}

According to Wireshark log, connection from the client is successfully terminated and proxied to openldap server. The server sends response back to caddy, but it does not reach the client and conection is closed by timeout.

[Fabbzz]

I think I see the same issue on IMAP 993 example at the moment I believe.

Let's hope we can figure this out.

[Fabbzz]

@mholt I'm investigating this but there is no way to log this it seems. Any idea ? Thanks!

[Fabbzz]

@brbcza I might have a solution for you... disable tls on the proxy when LDAP has it's own. That is why it fails.

[brbcza]

I know that it is possible to turn on TLS directly in the LDAP, that is what I am using now - with self signed certificated. But I wanted to manage certificates with Caddy and Let's Encrypt. Also, when I was testing caddy-l4, I had TLS turned off in LDAP.

[mohammed90]

Can you enable debug logs by adding debug in the global options section and share the result?

[brbcza]

Here are the logs

Logs from Caddy

{"level":"info","ts":1732470973.5458832,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1732470973.5465274,"logger":"http.auto_https","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"info","ts":1732470973.5465467,"logger":"http.auto_https","msg":"enabling automatic HTTP->HTTPS redirects","server_name":"srv0"}
{"level":"debug","ts":1732470973.5465677,"logger":"http.auto_https","msg":"adjusted config","tls":{"automation":{"policies":[{"subjects":["192.168.100.4"]},{}]}},"http":{"servers":{"remaining_auto_https_redirects":{"listen":[":80"],"routes":[{},{}]},"srv0":{"listen":[":443"],"routes":[{"terminal":true}],"tls_connection_policies":[{}],"automatic_https":{}}}}}
{"level":"debug","ts":1732470973.5468478,"logger":"layer4","msg":"listening","address":"tcp/[::]:1636"}
{"level":"info","ts":1732470973.5468748,"logger":"pki.ca.local","msg":"root certificate is already trusted by system","path":"storage:pki/authorities/local/root.crt"}
{"level":"info","ts":1732470973.546943,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"debug","ts":1732470973.5471196,"logger":"http","msg":"starting server loop","address":"[::]:443","tls":true,"http3":true}
{"level":"info","ts":1732470973.5471337,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"debug","ts":1732470973.5471706,"logger":"http","msg":"starting server loop","address":"[::]:80","tls":false,"http3":false}
{"level":"info","ts":1732470973.547176,"logger":"http.log","msg":"server running","name":"remaining_auto_https_redirects","protocols":["h1","h2","h3"]}
{"level":"info","ts":1732470973.5471792,"logger":"http","msg":"enabling automatic TLS certificate management","domains":["192.168.100.4"]}
{"level":"warn","ts":1732470973.5474794,"logger":"tls","msg":"stapling OCSP","error":"no OCSP stapling for [192.168.100.4]: no OCSP server specified in certificate","identifiers":["192.168.100.4"]}
{"level":"debug","ts":1732470973.5474975,"logger":"tls.cache","msg":"added certificate to cache","subjects":["192.168.100.4"],"expiration":1732490836,"managed":true,"issuer_key":"local","hash":"41d80818dbc4fd524b642696e85d481a3357e3e816c7173151c27c95fd3df1bf","cache_size":1,"cache_capacity":10000}
{"level":"debug","ts":1732470973.5475235,"logger":"events","msg":"event","name":"cached_managed_cert","id":"18d847aa-d132-47df-83c8-cd5a3aaac9d8","origin":"tls","data":{"sans":["192.168.100.4"]}}
{"level":"info","ts":1732470973.547692,"msg":"autosaved config (load with --resume flag)","file":"/root/.config/caddy/autosave.json"}
{"level":"info","ts":1732470973.5516477,"msg":"serving initial configuration"}
{"level":"info","ts":1732470973.5521896,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc0014b2d00"}
{"level":"info","ts":1732470973.5540688,"logger":"tls","msg":"storage cleaning happened too recently; skipping for now","storage":"FileStorage:/root/.local/share/caddy","instance":"281a3d4c-0493-4345-a6c3-7b7c85daa586","try_again":1732557373.554066,"try_again_in":86399.999999419}
{"level":"info","ts":1732470973.5541666,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"debug","ts":1732470984.1372976,"logger":"events","msg":"event","name":"tls_get_certificate","id":"37ab7908-b0ef-48e2-83c8-e0bdfdc0a9bd","origin":"tls","data":{"client_hello":{"CipherSuites":[4866,4865,4867,49196,49195,52393,49200,52392,49199,159,52394,163,158,162,49188,49192,49187,49191,107,106,103,64,49162,49172,49161,49171,57,56,51,50,157,156,61,60,53,47,255],"ServerName":"","SupportedCurves":[29,23,24,25,30,256,257,258,259,260],"SupportedPoints":"AA==","SignatureSchemes":[1027,1283,1539,2052,2053,2054,2057,2058,2059,1025,1281,1537,1026,771,769,770,515,513,514],"SupportedProtos":null,"SupportedVersions":[772,771],"RemoteAddr":{"IP":"10.0.0.35","Port":59910,"Zone":""},"LocalAddr":{"IP":"192.168.100.4","Port":1636,"Zone":""}}}}
{"level":"debug","ts":1732470984.1373634,"logger":"tls.handshake","msg":"choosing certificate","identifier":"192.168.100.4","num_choices":1}
{"level":"debug","ts":1732470984.1374068,"logger":"tls.handshake","msg":"default certificate selection results","identifier":"192.168.100.4","subjects":["192.168.100.4"],"managed":true,"issuer_key":"local","hash":"41d80818dbc4fd524b642696e85d481a3357e3e816c7173151c27c95fd3df1bf"}
{"level":"debug","ts":1732470984.1374128,"logger":"tls.handshake","msg":"matched certificate in cache","remote_ip":"10.0.0.35","remote_port":"59910","subjects":["192.168.100.4"],"managed":true,"expiration":1732490836,"hash":"41d80818dbc4fd524b642696e85d481a3357e3e816c7173151c27c95fd3df1bf"}
{"level":"debug","ts":1732470984.2082949,"logger":"layer4.handlers.tls","msg":"terminated TLS","remote":"10.0.0.35:59910","server_name":""}
{"level":"debug","ts":1732470984.209122,"logger":"layer4.handlers.proxy","msg":"dial upstream","remote":"10.0.0.35:59910","upstream":"192.168.100.5:389"}
{"level":"debug","ts":1732471014.1838555,"logger":"layer4","msg":"connection stats","remote":"10.0.0.35:59910","read":582,"written":1468,"duration":30.053291759}
{"level":"info","ts":1732471039.012831,"msg":"shutting down apps, then terminating","signal":"SIGTERM"}
{"level":"warn","ts":1732471039.013001,"msg":"exiting; byeee!! 👋","signal":"SIGTERM"}
{"level":"info","ts":1732471039.0130134,"logger":"http","msg":"servers shutting down with eternal grace period"}
{"level":"info","ts":1732471039.0132413,"logger":"admin","msg":"stopped previous server","address":"localhost:2019"}
{"level":"info","ts":1732471039.0132523,"msg":"shutdown complete","signal":"SIGTERM","exit_code":0}

Logs from OpenLDAP server

openldap  |  17:56:20.76 INFO  ==> ** Starting LDAP setup **
openldap  |  17:56:20.82 INFO  ==> Validating settings in LDAP_* env vars
openldap  |  17:56:20.83 INFO  ==> Initializing OpenLDAP...
openldap  |  17:56:20.85 INFO  ==> Using persisted data
openldap  |  17:56:20.86 INFO  ==> ** LDAP setup finished! **
openldap  | 
openldap  |  17:56:20.90 INFO  ==> ** Starting slapd **
openldap  | 674368c4.3743207b 0x7ad7835b3740 @(#) $OpenLDAP: slapd 2.6.7 (May 13 2024 16:20:35) $
openldap  |     @fd2dadcdc6ef:/bitnami/blacksmith-sandox/openldap-2.6.7/servers/slapd
openldap  | 674368c4.39e3d0ab 0x7ad7835b3740 slapd starting
openldap  | 674368c8.0c85031b 0x7ad7422006c0 conn=1000 fd=14 ACCEPT from IP=192.168.100.4:55782 (IP=0.0.0.0:389)
openldap  | 674368c8.0c8b17d1 0x7ad7418006c0 conn=1000 op=0 BIND dn="cn=admin,dc=ldap,dc=example,dc=com" method=128
openldap  | 674368c8.0c8dce33 0x7ad7418006c0 conn=1000 op=0 BIND dn="cn=admin,dc=ldap,dc=example,dc=com" mech=SIMPLE bind_ssf=0 ssf=0
openldap  | 674368c8.0c97b9f3 0x7ad7418006c0 conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000040 etime=0.000950 text=
openldap  | 674368e6.0af45730 0x7ad7422006c0 conn=1000 fd=14 closed (connection lost)

IP Addresses of participants:

• 192.168.100.5 - OpenLDAP server
• 192.168.100.4 - Caddy
• 10.0.0.35 - Client