Hi, I read the news about Native SSL support on 1.5.1. version, so I said I need to try it out:-)
But either I don't understand how SSL backend should be configured or there is a mismatch on the expectations. I want HTTPS traffic to HAProxy to be loadbalanced to a backend without stripping put the SSL part, basically HAProxy will decode incoming request and encode it again on the way out to backend. My conf[1] is quite simple and HAProxy has support for SSL [2]. What I observe(using tcpdump) is that health checks are in SSL mode(SSL handshake followed by a HTTP request) but incoming request over HTTPS goes to backend without any SSL handshake which results to famous HTTP status error from nginx ----------------------- 400 Bad Request The plain HTTP request was sent to HTTPS port ----------------------- I changed mode to tcp on backend examplefe_s but then I realized that I wouldn't be able to have HTTP checks, am I right? Any ideas if what I try to achieve is possible? Cheers, Pavlos [1] global log 127.0.0.1 local2 debug chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 100000 user haproxy group haproxy daemon # turn on stats unix socket stats socket /var/lib/haproxy/stats uid 0 gid 0 mode 0440 level admin process 1 # 2 Processes nbproc 2 # Process ID 1 goes to CPU 0 cpu-map 1 0 # Process ID 2 goes to CPU 1 cpu-map 2 1 # Don't verify servers certificates. ssl-server-verify none #--------------------------------------------------------------------- # common defaults that all the 'listen' and 'backend' sections will # use if not designated in their block #--------------------------------------------------------------------- defaults mode http log global option contstats option tcplog option dontlognull option tcp-smart-accept option tcp-smart-connect option http-keep-alive option redispatch balance roundrobin timeout http-request 15s timeout http-keep-alive 15s retries 2 timeout queue 1m timeout connect 10s timeout client 15s timeout server 15s timeout check 5s # TODO change that to HAProxySourceIP option forwardfor header F5SourceIP #--------------------------------------------------------------------- # built-in status webpage #--------------------------------------------------------------------- listen haproxy :8080 stats enable stats uri / stats show-node stats refresh 10s stats show-legends #--------------------------------------------------------------------- # frontends which proxy to the backends #--------------------------------------------------------------------- frontend main bind *:80 # CPU0 bind-process 1 default_backend examplefe frontend main_s bind *:443 ssl crt /etc/ssl/wildcard.foo.com.pem # CPU1 bind-process 2 default_backend examplefe_s #--------------------------------------------------------------------- # round robin balancing between the various backends #--------------------------------------------------------------------- backend examplefe default-server inter 10s option httpchk GET / HTTP/1.1\r\nHost:\ example.foo.com\r\nUser-Agent:\ HAProxy server examplefe-203.foo.com examplefe-203.foo.com:80 check disabled server examplefe-204.foo.com examplefe-204.foo.com:80 check disabled backend examplefe_s default-server inter 10s option httpchk GET / HTTP/1.1\r\nHost:\ example.foo.com\r\nUser-Agent:\ HAProxy server examplefe-203.foo.com examplefe-203.foo.com:443 check check-ssl server examplefe-204.foo.com examplefe-204.foo.com:443 check check-ssl disabled [2] haproxy -vv HA-Proxy version 1.5.1 2014/06/24 Copyright 2000-2014 Willy Tarreau <w...@1wt.eu> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.3 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.0-fips 29 Mar 2010 Running on OpenSSL version : OpenSSL 1.0.0-fips 29 Mar 2010 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 7.8 2008-09-05 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll.
signature.asc
Description: OpenPGP digital signature