Hello Lukas,
Thanks for your reply. You can find my additional information in your text
below.
> Am 17.10.2014 um 01:32 schrieb Lukas Tribus <luky...@hotmail.com>:
>
>
> Gonna need to see your configuration to be able to help you, especially ssl
> and http related parts.
##---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
log 127.0.0.1 local2 debug alert
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4096
user haproxy
group haproxy
daemon
nbproc 1
#ssl-default-bind-ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option logasap
option redispatch
balance roundrobin
timeout connect 10000 # default 10 second time out if a backend is not
found
timeout client 86400000
timeout server 300000
timeout queue 5000
maxconn 60000
retries 3
default_backend deny_backend
#---------------------------------------------------------------------
# test configuration
#---------------------------------------------------------------------
frontend test1
bind *:443 ssl crt /etc/pki/tls/certs/domain.com-haproxy.pem
#ciphers HIGH:RC4-SHA:!ADH
#ciphers AES:RC4:ALL:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:!ECDH
reqadd X-Forwarded-Proto:\ https
acl nourl url /
acl baseurl url /java-app
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket path_beg /java-app/r3
acl is_download path_beg /java-app/
acl admin_url path_beg /admin
acl is_admin src 192.168.1.0/24
redirect location http://www.domain.com/ if nourl
redirect location https://test.domain.com/java-app/ if baseurl
use_backend test1_socket_backend if is_websocket
use_backend test1_website_backend if is_download ! is_websocket
use_backend private_monitoring if is_admin admin_url
#-Backends------------------------------------------------------------
backend deny_backend
option httpclose
reqideny .*
backend private_monitoring
stats enable
stats uri /admin?stats
stats refresh 10s
# Test1
backend test1_website_backend
option httpclose
server test1 <internal hostname>:8080
backend test1_socket_backend
no option httpclose
server test1 <internal hostname>:8080
#---------------------------------------------------------------------
—
changing
bind *:443 ssl crt /etc/pki/tls/certs/domain.com-haproxy.pem
to
bind *:81
(and removing the https line next to it) makes it run with stunnel.
>
> Out of the back of my mind I recall Java has problems with DHE cihpers
> when the dh size is more than 1024 bits. Could that be your case?
I read about it anywhere and was aware of it (a known problem with Java 7). I
tested with the default of 1024 bit but also tried with other values. There was
noch change in behavior.
>
>
> Can you share a tcpdump capture of the failed handshake (don't forget -s0
> otherwise packets will be truncated).
>
43 29.413080 <CLIENT> <HAPROXY> TCP 80 62199→443
[SYN] Seq=0 Win=65535 Len=0 MSS=1452 WS=16 TSval=666771533 TSecr=0 SACK_PERM=1
44 29.413184 <HAPROXY> <CLIENT> TCP 76 443→62199
[SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=1791798027
TSecr=666771533 WS=64
45 29.430494 <CLIENT> <HAPROXY> TCP 68 62199→443
[ACK] Seq=1 Ack=1 Win=132480 Len=0 TSval=666771557 TSecr=1791798027
46 29.435106 <CLIENT> <HAPROXY> SSLv2 213 Client
Hello
47 29.440451 <HAPROXY> <CLIENT> TLSv1.2 1508 Server
Hello
48 29.440473 <HAPROXY> <CLIENT> TLSv1.2 1134 Certificate
49 29.461553 <CLIENT> <HAPROXY> TCP 68 62199→443
[ACK] Seq=146 Ack=2507 Win=130000 Len=0 TSval=666771586 TSecr=1791798055
50 29.467494 <CLIENT> <HAPROXY> TCP 68 62199→443
[FIN, ACK] Seq=146 Ack=2507 Win=131072 Len=0 TSval=666771592 TSecr=1791798055
51 29.467675 <HAPROXY> <CLIENT> TCP 68 443→62199
[FIN, ACK] Seq=2507 Ack=147 Win=15552 Len=0 TSval=1791798082 TSecr=666771592
52 29.483925 <CLIENT> <HAPROXY> TCP 68 62199→443
[ACK] Seq=147 Ack=2508 Win=131072 Len=0 TSval=666771608 TSecr=1791798082
Thanks for your help in advance.
Best regards,
Heiko
---
Heiko Burghardt
IT Infrastructure
--
..............................................................
Riege Software International GmbH Phone: +49 2159 91480
Mollsfeld 10 Fax: +49 2159 914811
40670 Meerbusch Web: www.riege.com
Germany E-Mail: burgha...@riege.com
-- --
Commercial Register: Managing Directors:
Amtsgericht Neuss HRB-NR 4207 Christian Riege
VAT Reg No.: DE120585842 Gabriele Riege
Johannes Riege
Tobias Riege
..............................................................
YOU CARE FOR FREIGHT, WE CARE FOR YOU
