Hi Peter, On 23/08/2017 00:48, Keresztes Péter-Zoltán wrote:
Hello,I am trying to setup haproxy with two way authentication. While the frontend looks good one of the backends is giving me headaches with ssl handshake failures. Here is how the frontends and backends does look like: frontend http-in bind 69.64.57.197:80 redirect scheme https code 301 if !{ ssl_fc } frontend https-in bind 10.0.0.2:443 ssl crt /etc/ssl/certs/veracityid.com.crt mode http acl client_ssl path_beg /service/ws use_backend test_client_ssl if client_ssl default_backend test_all backend test_all mode http balance leastconn timeout connect 1s timeout server 300s timeout queue 30s option redispatch retries 3 cookie rc_cookie_vers insert indirect nocache secure server usloft4778 192.168.0.1:8080 cookie rc_cookie_vers check inter 1000 fastinter 500 rise 2 fall 1 server loft10179 192.168.0.2:8080 cookie rc_cookie_vers check inter 1000 fastinter 500 rise 2 fall 1 backend test_client_ssl mode http balance leastconn timeout connect 1s timeout server 300s timeout queue 30s option httpchk GET "/service/ws" "HTTP/1.0" cookie rc_cookie_vers insert indirect nocache secure server usloft4778 192.168.0.1:8080 ssl verify required ca-file /etc/ssl/certs/ca_full.crt crt /etc/ssl/certs/client.crt server loft10179 192.168.0.2:8080 ssl verify required ca-file /etc/ssl/certs/ca_full.crt crt /etc/ssl/certs/client.crt
You are using the same server:port for both HTTP and HTTPS backends, I doubt those backend are able to speak HTTP and HTTPS on the same port. Not sure what you are trying to achieve, but the config you sent means that you want : - to connect to the backend in HTTP mode if path does not begin with /service/ws - to connect to the backend in HTTPS mode + client verification if the path begins with /service/ws Not sure what you are trying to do though : 1. two way auth between client and HAProxy ? 2. two way auth between HAProxy and backend servers ? For the first one, you'll have to configure that in the frontend (https://www.haproxy.com/blog/ssl-client-certificate-management-at-application-level/) For the second one, you'll probably have to check the ports you used between HAproxy and your backends.
Any suggestion to make this work? Thanks in advance Peter
Hope this helps, Yann --------------------------- DISCLAIMER ------------------------- This message and any attachment are proprietary and confidential information and might be legally privileged in your country. These elements are intended solely for the addressee. Any unauthorized use or disclosure, in whole or in part, is prohibited. E-mails are subject to any alteration, change or falsification. The sender declines any liability to this message and any attachment. If you are not the intended recipient of this message, please delete this message and notify immediately the sender. --------------------------------------------------------------------
