Hi, I read the news about Native SSL support on 1.5.1. version, so I said I need to try it out:-)
But either I don't understand how SSL backend should be configured or
there is a mismatch on the expectations.
I want HTTPS traffic to HAProxy to be loadbalanced to a backend without
stripping put the SSL part, basically HAProxy will decode incoming
request and encode it again on the way out to backend.
My conf[1] is quite simple and HAProxy has support for SSL [2]. What I
observe(using tcpdump) is that health checks are in SSL mode(SSL
handshake followed by a HTTP request) but incoming request over HTTPS
goes to backend without any SSL handshake which results to famous HTTP
status error from nginx
-----------------------
400 Bad Request
The plain HTTP request was sent to HTTPS port
-----------------------
I changed mode to tcp on backend examplefe_s but then I realized that I
wouldn't be able to have HTTP checks, am I right?
Any ideas if what I try to achieve is possible?
Cheers,
Pavlos
[1]
global
log 127.0.0.1 local2 debug
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 100000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats uid 0 gid 0 mode 0440 level
admin process 1
# 2 Processes
nbproc 2
# Process ID 1 goes to CPU 0
cpu-map 1 0
# Process ID 2 goes to CPU 1
cpu-map 2 1
# Don't verify servers certificates.
ssl-server-verify none
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option contstats
option tcplog
option dontlognull
option tcp-smart-accept
option tcp-smart-connect
option http-keep-alive
option redispatch
balance roundrobin
timeout http-request 15s
timeout http-keep-alive 15s
retries 2
timeout queue 1m
timeout connect 10s
timeout client 15s
timeout server 15s
timeout check 5s
# TODO change that to HAProxySourceIP
option forwardfor header F5SourceIP
#---------------------------------------------------------------------
# built-in status webpage
#---------------------------------------------------------------------
listen haproxy :8080
stats enable
stats uri /
stats show-node
stats refresh 10s
stats show-legends
#---------------------------------------------------------------------
# frontends which proxy to the backends
#---------------------------------------------------------------------
frontend main
bind *:80
# CPU0
bind-process 1
default_backend examplefe
frontend main_s
bind *:443 ssl crt /etc/ssl/wildcard.foo.com.pem
# CPU1
bind-process 2
default_backend examplefe_s
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend examplefe
default-server inter 10s
option httpchk GET / HTTP/1.1\r\nHost:\
example.foo.com\r\nUser-Agent:\ HAProxy
server examplefe-203.foo.com examplefe-203.foo.com:80 check disabled
server examplefe-204.foo.com examplefe-204.foo.com:80 check disabled
backend examplefe_s
default-server inter 10s
option httpchk GET / HTTP/1.1\r\nHost:\
example.foo.com\r\nUser-Agent:\ HAProxy
server examplefe-203.foo.com examplefe-203.foo.com:443 check check-ssl
server examplefe-204.foo.com examplefe-204.foo.com:443 check
check-ssl disabled
[2]
haproxy -vv
HA-Proxy version 1.5.1 2014/06/24
Copyright 2000-2014 Willy Tarreau <w...@1wt.eu>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS =
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.0-fips 29 Mar 2010
Running on OpenSSL version : OpenSSL 1.0.0-fips 29 Mar 2010
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 7.8 2008-09-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
signature.asc
Description: OpenPGP digital signature
