RE: https with haproxy

[Rezhna Hoshyar]

Dear,

Thanks a lot for your reply which I followed and produced the following:

[root@haproxy ~]# ll /etc/haproxy/certs/
total 88
-rw-r--r-- 1 root root 1960 Sep  3 00:46 ca2.crt
-rw-r--r-- 1 root root 3243 Sep  3 00:46 ca2.key
-rw-r--r-- 1 root root 1048 Sep  3 00:46 ca_crl.pem
-rw-r--r-- 1 root root 2029 Sep  3 00:46 ca.crt
-rw-r--r-- 1 root root 3243 Sep  3 00:46 ca.key
-rw-r--r-- 1 root root 3989 Sep  3 00:46 ca.pem
-rw-r--r-- 1 root root 1342 Sep  3 00:46 client1.crt
-rw-r--r-- 1 root root  660 Sep  3 00:46 client1.csr
-rw-r--r-- 1 root root  887 Sep  3 00:46 client1.key
-rw-r--r-- 1 root root 1342 Sep  3 00:46 client2.crt
-rw-r--r-- 1 root root  660 Sep  3 00:46 client2.csr
-rw-r--r-- 1 root root  887 Sep  3 00:46 client2.key
-rw-r--r-- 1 root root 1306 Sep  3 00:46 client_company.crt
-rw-r--r-- 1 root root  660 Sep  3 00:46 client_company.csr
-rw-r--r-- 1 root root  887 Sep  3 00:46 client_company.key
-rw-r--r-- 1 root root 1342 Sep  3 00:46 client_expired.crt
-rw-r--r-- 1 root root  660 Sep  3 00:46 client_expired.csr
-rw-r--r-- 1 root root  887 Sep  3 00:46 client_expired.key
-rw-r--r-- 1 root root 1342 Sep  3 00:46 server.crt
-rw-r--r-- 1 root root  660 Sep  3 00:46 server.csr
-rw-r--r-- 1 root root  891 Sep  3 00:46 server.key
-rw-r--r-- 1 root root 2233 Sep  3 00:46 server.pem

But when I restarted the haproxy , I got the following error:

[root@haproxy haproxy]# service haproxy restart
[ALERT] 245/025407 (2270) : parsing [/etc/haproxy/haproxy.cfg:71] : 'bind 
*:443' : unable to load SSL private key from PEM file 
'/etc/haproxy/certs/ca_crl.pem'.
[ALERT] 245/025407 (2270) : Error(s) found in configuration file : 
/etc/haproxy/haproxy.cfg
[ALERT] 245/025407 (2270) : Proxy 'https_frontend': no SSL certificate 
specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:71] (use 'crt').
[ALERT] 245/025407 (2270) : Fatal errors found in configuration.
Errors in configuration file, check with haproxy check.

Thanks for your help my friend

Rezhna 

-Original Message-
From: Baptiste [mailto:bed...@gmail.com] 
Sent: Monday, September 2, 2013 10:41 PM
To: Nick Jennings
Cc: Rezhna Hoshyar; Lukas Tribus; haproxy@formilux.org
Subject: Re: https with haproxy

Rezhna,

You can start with a script I used when I wrote some blog articles about 
HAProxy and SSL:
https://github.com/exceliance/haproxy/tree/master/blog/ssl_client_certificate_management_at_application_level

You'll be able to generate selfsigned certificates.

Good luck,
Baptiste



On Mon, Sep 2, 2013 at 2:59 PM, Nick Jennings  wrote:
> http://www.startssl.com
>
>
>
> On Mon, Sep 2, 2013 at 2:51 PM, Rezhna Hoshyar 
> 
> wrote:
>>
>> Dear,
>>
>> Could you please tell me how I can get free ssl certificate as I 
>> tried many ways mentioned on Internet , but none of them were useful
>>
>> Rezhna
>>
>> -Original Message-
>> From: Baptiste [mailto:bed...@gmail.com]
>> Sent: Sunday, September 1, 2013 9:44 PM
>> To: Rezhna Hoshyar
>> Cc: Lukas Tribus; haproxy@formilux.org
>> Subject: Re: https with haproxy
>>
>> Hi Rezhna,
>>
>> Use the "http-request redirect scheme" to do this, as example:
>> http-request redirect scheme https if ! { ssl_fc }
>>
>> It will force HTTPs whatever the hostname is.
>> As Lukas stated, you have to own the certificate and the frontend / 
>> backend must be in mode http.
>>
>> Baptiste
>>
>>
>>
>> On Sun, Sep 1, 2013 at 4:56 PM, Rezhna Hoshyar 
>> 
>> wrote:
>> >
>> > Hi,
>> >
>> > Actually we want to apply it for our company web sites.
>> >
>> > Rezhna
>> >
>> > -Original Message-
>> > From: Lukas Tribus [mailto:luky...@hotmail.com]
>> > Sent: Sunday, September 1, 2013 5:44 PM
>> > To: Rezhna Hoshyar
>> > Cc: haproxy@formilux.org
>> > Subject: RE: https with haproxy
>> >
>> > Hi,
>> >
>> >> My question is about how to use https with haproxy , not avoiding it.
>> >
>> > Compile haproxy 1.5 with SSL support and enable it. You can find 
>> > details in doc/ and some generic examples in examples/.
>> >
>> >
>> >
>> >> I can use haproxy to redirect http://google.com to 
>> >> http://yahoo.com, but I cannot do that with https://google.com.
>> >
>> > Well, do you have a certificate for google.com (or whatever website 
>> > you need to redirect)? You cannot do this without a valid 
>> > certificate, otherwise HTTPS would not make any sense.
>> >
>> >
>> >
>> > Regards,
>> >
>> > Lukas
>> >
>> > --
>> > This message has been scanned for viruses and dangerous content by 
>> > MailScanner, and is believed to be clean.
>> >
>> >
>>
>> --
>> This message has been scanned for viruses and dangerous content by 
>> MailScanner, and is believed to be clean.
>>
>>
>

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

RE: https with haproxy

[Rezhna Hoshyar]

Dear,

Could you please tell me how I can get free ssl certificate as I tried many 
ways mentioned on Internet , but none of them were useful

Rezhna 

-Original Message-
From: Baptiste [mailto:bed...@gmail.com] 
Sent: Sunday, September 1, 2013 9:44 PM
To: Rezhna Hoshyar
Cc: Lukas Tribus; haproxy@formilux.org
Subject: Re: https with haproxy

Hi Rezhna,

Use the "http-request redirect scheme" to do this, as example:
http-request redirect scheme https if ! { ssl_fc }

It will force HTTPs whatever the hostname is.
As Lukas stated, you have to own the certificate and the frontend / backend 
must be in mode http.

Baptiste



On Sun, Sep 1, 2013 at 4:56 PM, Rezhna Hoshyar  wrote:
>
> Hi,
>
> Actually we want to apply it for our company web sites.
>
> Rezhna
>
> -Original Message-
> From: Lukas Tribus [mailto:luky...@hotmail.com]
> Sent: Sunday, September 1, 2013 5:44 PM
> To: Rezhna Hoshyar
> Cc: haproxy@formilux.org
> Subject: RE: https with haproxy
>
> Hi,
>
>> My question is about how to use https with haproxy , not avoiding it.
>
> Compile haproxy 1.5 with SSL support and enable it. You can find details in 
> doc/ and some generic examples in examples/.
>
>
>
>> I can use haproxy to redirect http://google.com to http://yahoo.com, 
>> but I cannot do that with https://google.com.
>
> Well, do you have a certificate for google.com (or whatever website you need 
> to redirect)? You cannot do this without a valid certificate, otherwise HTTPS 
> would not make any sense.
>
>
>
> Regards,
>
> Lukas
>
> --
> This message has been scanned for viruses and dangerous content by 
> MailScanner, and is believed to be clean.
>
>

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

RE: https with haproxy

[Rezhna Hoshyar]

Hi,

Actually we want to apply it for our company web sites.

Rezhna 

-Original Message-
From: Lukas Tribus [mailto:luky...@hotmail.com] 
Sent: Sunday, September 1, 2013 5:44 PM
To: Rezhna Hoshyar
Cc: haproxy@formilux.org
Subject: RE: https with haproxy

Hi,

> My question is about how to use https with haproxy , not avoiding it.

Compile haproxy 1.5 with SSL support and enable it. You can find details in 
doc/ and some generic examples in examples/.



> I can use haproxy to redirect http://google.com to http://yahoo.com, 
> but I cannot do that with https://google.com.

Well, do you have a certificate for google.com (or whatever website you need to 
redirect)? You cannot do this without a valid certificate, otherwise HTTPS 
would not make any sense.



Regards,

Lukas 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

RE: https with haproxy

[Rezhna Hoshyar]

Dear,

Thanks for your reply.
My question is about how to use https with haproxy , not avoiding it. for 
example: , I can use haproxy to redirect http://google.com to http://yahoo.com  
, but I cannot do that with https://google.com.
I tried to do that with mode tcp but it did not work also.

Rezhna 
-Original Message-
From: Lukas Tribus [mailto:luky...@hotmail.com] 
Sent: Sunday, September 1, 2013 1:36 PM
To: Rezhna Hoshyar
Cc: haproxy@formilux.org
Subject: RE: https with haproxy

Hi Rezhna,

> I am the Linux Administrator of Fanoos Telec company in Iraq and I am 
> planning to use haproxy as proxy - load balancer in our company , but 
> the problem is I cannot use it with (https) just http so could you 
> please help me with this issue?

If I understand correctly, your question is howto avoid https with HAProxy?

Thats simple: don't compile ith with SSL support and don't use the ssl keywords 
in the configuration.

Better yet: use 1.4 stable, it has no SSL support at all.



Regards,

Lukas 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

https with haproxy

[Rezhna Hoshyar]

Dear,

I am the Linux Administrator of Fanoos Telec company in Iraq and I am planning 
to use haproxy as proxy - load balancer in our company , but the problem is I 
cannot use it with (https) just http so could you please help me with this 
issue?

Rezhna

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.