Hi,

I read the news about Native SSL support on 1.5.1. version, so I said I
need to try it out:-)

But either I don't understand how SSL backend should be configured or
there is a mismatch on the expectations.

I want HTTPS traffic to HAProxy to be loadbalanced to a backend without
stripping put the SSL part, basically HAProxy will decode incoming
request and encode it again on the way out to backend.

My conf[1] is quite simple and HAProxy has support for SSL [2]. What I
observe(using tcpdump) is that health checks are in SSL mode(SSL
handshake followed by a HTTP request) but incoming request over HTTPS
goes to backend without any SSL handshake which results to famous HTTP
status error from nginx
-----------------------
400 Bad Request
The plain HTTP request was sent to HTTPS port
-----------------------

I changed mode to tcp on backend examplefe_s but then I realized that I
wouldn't be able to have HTTP checks, am I right?

Any ideas if what I try to achieve is possible?

Cheers,
Pavlos



[1]
global
    log         127.0.0.1 local2 debug

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     100000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats uid 0 gid 0 mode 0440 level
admin process 1

    # 2 Processes
    nbproc 2
    # Process ID 1 goes to CPU 0
    cpu-map 1 0
    # Process ID 2 goes to CPU 1
    cpu-map 2 1

    # Don't verify servers certificates.
    ssl-server-verify none

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode    http
    log     global
    option  contstats
    option  tcplog
    option  dontlognull
    option  tcp-smart-accept
    option  tcp-smart-connect
    option  http-keep-alive
    option  redispatch
    balance roundrobin
    timeout http-request    15s
    timeout http-keep-alive 15s
    retries                 2
    timeout queue           1m
    timeout connect         10s
    timeout client          15s
    timeout server          15s
    timeout check           5s
    # TODO change that to HAProxySourceIP
    option forwardfor header F5SourceIP

#---------------------------------------------------------------------
# built-in status webpage
#---------------------------------------------------------------------
listen haproxy :8080
    stats enable
    stats uri /
    stats show-node
    stats refresh 10s
    stats show-legends

#---------------------------------------------------------------------
# frontends which proxy to the backends
#---------------------------------------------------------------------
frontend  main
    bind *:80
    # CPU0
    bind-process 1
    default_backend             examplefe
frontend  main_s
    bind *:443 ssl crt /etc/ssl/wildcard.foo.com.pem
    # CPU1
    bind-process 2
    default_backend             examplefe_s

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend examplefe
    default-server inter 10s
    option httpchk GET / HTTP/1.1\r\nHost:\
example.foo.com\r\nUser-Agent:\ HAProxy
    server examplefe-203.foo.com examplefe-203.foo.com:80 check disabled
    server examplefe-204.foo.com examplefe-204.foo.com:80 check disabled

backend examplefe_s
    default-server inter 10s
    option httpchk GET / HTTP/1.1\r\nHost:\
example.foo.com\r\nUser-Agent:\ HAProxy
    server examplefe-203.foo.com examplefe-203.foo.com:443 check check-ssl
    server examplefe-204.foo.com examplefe-204.foo.com:443 check
check-ssl disabled


[2]
haproxy -vv
HA-Proxy version 1.5.1 2014/06/24
Copyright 2000-2014 Willy Tarreau <w...@1wt.eu>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  =
  OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.0-fips 29 Mar 2010
Running on OpenSSL version : OpenSSL 1.0.0-fips 29 Mar 2010
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 7.8 2008-09-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to