You haven't told it to use SSL when talking to the servers listening on :4443. By default haproxy is going to use non-SSL TCP.
Add the `ssl` option to both of your `server` parameters. http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.2-ssl -Patrick ------------------------------------------------------------------------ *From: *m...@hawknetdesigns.com *Sent: * 2014-02-14 16:21:02 E *To: *haproxy@formilux.org *Subject: *SSL load-balancing across multiple HAProxy instances > Hi all, > > I'm working on a load-balanced instance using HAProxy, Varnish, and > back-end web servers. > > I've successfully tested the new SSL termination feature using dev > build 1.5-dev22-1a34d57 2014/02/03, and it works well, however, I want > to load-balance the SSL terminal feature across more than 1 HAProxy > instance like so: > > Main HAProxy instance on 192.168.1.5, secondary on 192.168.1.10 > > Varnish servers on 192.168.1.20 and 192.168.1.30 > > Previously, I was terminating SSL on the single active HAProxy > (192.168.1.5), and speaking HTTP to the Varnish back-ends. This works > well. > > What I'd like to do is > > Request comes in to HAProxy on port 443. Request is then load > balanced to the two HAProxy servers in tcp mode to 192.168.1.5:4443 > and 192.168.1.10:4443 - maintaining SSL mode until it terminates at > port 4443. > > An example config (just the relevant sections) would be this: > > listen ssl_relay > bind 192.168.1.5:443 > mode tcp > option socket-stats > #option ssl-hello-chk > tcp-request inspect-delay 5s > tcp-request content accept if { req_ssl_hello_type 1 } > tcp-request content accept if { req_ssl_hello_type 1 } > default_backend test > > frontend incoming > bind 192.168.1.5:80 > mode http > log global > option forwardfor > bind 192.168.1.5:4443 no-sslv3 ssl crt /certs/haproxy.pem crt > /certs/ ciphers RC4-SHA:AES128-SHA:AES256-SHA > mode http > log global > option forwardfor > tcp-request inspect-delay 5s > tcp-request content accept if { req_ssl_hello_type 1 } > > > backend test > mode tcp > balance roundrobin > # maximum SSL session ID length is 32 bytes. > stick-table type binary len 32 size 30k expire 30m > > acl clienthello req_ssl_hello_type 1 > acl serverhello rep_ssl_hello_type 2 > > # use tcp content accepts to detects ssl client and server hello. > tcp-request inspect-delay 5s > tcp-request content accept if clienthello > > # no timeout on response inspect delay by default. > tcp-response content accept if serverhello > > # SSL session ID (SSLID) may be present on a client or server > hello. > # Its length is coded on 1 byte at offset 43 and its value starts > # at offset 44. > > # Match and learn on request if client hello. > stick on payload_lv(43,1) if clienthello > > # Learn on response if server hello. > stick store-response payload_lv(43,1) if serverhello > > server test1 192.168.1.5:4443 > server test2 192.168.1.10:4443 > > http works, and I receive requests on port 443, but this is all I get > from the HAProxy log: > > 00000000:ssl_relay.accept(0006)=0009 from [192.168.1.2:50496] > 00000000:test.clireq[0009:ffffffff]: > 00000000:test.clicls[0009:ffffffff] > 00000000:test.closed[0009:ffffffff] > > It appears that HAProxy is not speaking or passing through SSL to the > frontend on port 4443. > > curl -i https://192.168.1.5/ > curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown > protocol > > So... what am I missing? > > Cheers, > -=Mark > > >