Hi Everyone,
I'm trying to set up an instance of haproxy v1.5.2 that will receive an SSL
connection and then proxy that connection back to a cluster of webservers
over HTTPS/HSTS like so:
client==HTTPS/HSTS==>haproxy==HTTPS==>apache webservers
I have a configuration that I believe should work. However, I get a 502 Bad
Gateway error with my configuration. When I review the logs, it seems that
haproxy may be failing to include a hostname in the client request. Haproxy
is using a wildcard certificate for my domain. This makes me suspect that
this problem may be SNI or HSTS related.
Basically, what I'm trying to do is:
dev.mydomain.de =TLS=> dev cluster
test.mydomain.de =TLS=> test cluster
[etc...]
With a trusted CA cert for *.mydomain.de.
Both the haproxy and the backend servers are using the *.mydomain.de
certificate. With no luck, I tried replacing that cert on the backend
servers with a cert that matched their ip (and told haproxy not to verify
it).
How can I configure haproxy to send the necessary server header and
properly use the wildcard certificate?
My current configuration looks something like this:
global
daemon
ssl-default-bind-ciphers (EFF recommended list)
defaults
option http-server-close
option redispatch
[very generous timeout settings]
frontend dev-https
bind xxx.xxx.xxx.xxx:443 ssl crt [path to pem file]
mode http
option httplog clf
option forwardfor
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
default_backend dev-https-servers
backend dev-https-servers
mode http
balance roundrobin
option ssl-hello-chk
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
tcp-request inspect-delay [generous timeout]
tcp-request content accept if clienthello
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
# Server definitions
server devhttps1 xxx.xxx.xxx.xxx:443 weight 1 check
[...]
Unfortunately, all of the documentation that I have been able to find
expects HTTP rather than HTTPS to be used on the backend. It's important
that I use HTTPS because I am unable to trust the connections between my
servers with my very sensitive data.
I am currently running haproxy in tcp mode, which works. But, I'd very much
like to switch to this double https model so that I can log client request
IPs and URLs with out patching the kernel of my haproxy box.
I tried using the matching to route requests to different backends based on
the host in the request that is terminated by haproxy. But, I was not able
to get it to work. The documentation I was working from was using the words
"host" and "server" ambiguously when referring to them in the haproxy
config and in the actual web requests. So, I got very confused.
I would be extremely grateful if anyone could help me understand how to
properly configure my haproxy install to use HTTPS/HSTS in the way I am
trying to.
Thank you very much for reading,
- Werner
