Re: https with haproxy
On Tue, Sep 03, 2013 at 02:55:43PM +0200, Baptiste wrote: > Hi, > > Providing your configuration would help. > It seems you forget to load certificates in your haproxy configuration. Clearly. I think that we should improve the SSL error messages now to give hints about what goes wrong and the possible reasons. SSL is already complex enough, it's so easy to get wrong that we could reduce the number of such questions by this. Willy
Re: https with haproxy
Hi,
Providing your configuration would help.
It seems you forget to load certificates in your haproxy configuration.
Baptiste
On Tue, Sep 3, 2013 at 12:03 PM, Rezhna Hoshyar
wrote:
> Dear,
>
> Thanks a lot for your reply which I followed and produced the following:
>
> [root@haproxy ~]# ll /etc/haproxy/certs/
> total 88
> -rw-r--r-- 1 root root 1960 Sep 3 00:46 ca2.crt
> -rw-r--r-- 1 root root 3243 Sep 3 00:46 ca2.key
> -rw-r--r-- 1 root root 1048 Sep 3 00:46 ca_crl.pem
> -rw-r--r-- 1 root root 2029 Sep 3 00:46 ca.crt
> -rw-r--r-- 1 root root 3243 Sep 3 00:46 ca.key
> -rw-r--r-- 1 root root 3989 Sep 3 00:46 ca.pem
> -rw-r--r-- 1 root root 1342 Sep 3 00:46 client1.crt
> -rw-r--r-- 1 root root 660 Sep 3 00:46 client1.csr
> -rw-r--r-- 1 root root 887 Sep 3 00:46 client1.key
> -rw-r--r-- 1 root root 1342 Sep 3 00:46 client2.crt
> -rw-r--r-- 1 root root 660 Sep 3 00:46 client2.csr
> -rw-r--r-- 1 root root 887 Sep 3 00:46 client2.key
> -rw-r--r-- 1 root root 1306 Sep 3 00:46 client_company.crt
> -rw-r--r-- 1 root root 660 Sep 3 00:46 client_company.csr
> -rw-r--r-- 1 root root 887 Sep 3 00:46 client_company.key
> -rw-r--r-- 1 root root 1342 Sep 3 00:46 client_expired.crt
> -rw-r--r-- 1 root root 660 Sep 3 00:46 client_expired.csr
> -rw-r--r-- 1 root root 887 Sep 3 00:46 client_expired.key
> -rw-r--r-- 1 root root 1342 Sep 3 00:46 server.crt
> -rw-r--r-- 1 root root 660 Sep 3 00:46 server.csr
> -rw-r--r-- 1 root root 891 Sep 3 00:46 server.key
> -rw-r--r-- 1 root root 2233 Sep 3 00:46 server.pem
>
> But when I restarted the haproxy , I got the following error:
>
> [root@haproxy haproxy]# service haproxy restart
> [ALERT] 245/025407 (2270) : parsing [/etc/haproxy/haproxy.cfg:71] : 'bind
> *:443' : unable to load SSL private key from PEM file
> '/etc/haproxy/certs/ca_crl.pem'.
> [ALERT] 245/025407 (2270) : Error(s) found in configuration file :
> /etc/haproxy/haproxy.cfg
> [ALERT] 245/025407 (2270) : Proxy 'https_frontend': no SSL certificate
> specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:71] (use 'crt').
> [ALERT] 245/025407 (2270) : Fatal errors found in configuration.
> Errors in configuration file, check with haproxy check.
>
> Thanks for your help my friend
>
> Rezhna
>
> -Original Message-----
> From: Baptiste [mailto:bed...@gmail.com]
> Sent: Monday, September 2, 2013 10:41 PM
> To: Nick Jennings
> Cc: Rezhna Hoshyar; Lukas Tribus; haproxy@formilux.org
> Subject: Re: https with haproxy
>
> Rezhna,
>
> You can start with a script I used when I wrote some blog articles about
> HAProxy and SSL:
> https://github.com/exceliance/haproxy/tree/master/blog/ssl_client_certificate_management_at_application_level
>
> You'll be able to generate selfsigned certificates.
>
> Good luck,
> Baptiste
>
>
>
> On Mon, Sep 2, 2013 at 2:59 PM, Nick Jennings wrote:
>> http://www.startssl.com
>>
>>
>>
>> On Mon, Sep 2, 2013 at 2:51 PM, Rezhna Hoshyar
>>
>> wrote:
>>>
>>> Dear,
>>>
>>> Could you please tell me how I can get free ssl certificate as I
>>> tried many ways mentioned on Internet , but none of them were useful
>>>
>>> Rezhna
>>>
>>> -Original Message-
>>> From: Baptiste [mailto:bed...@gmail.com]
>>> Sent: Sunday, September 1, 2013 9:44 PM
>>> To: Rezhna Hoshyar
>>> Cc: Lukas Tribus; haproxy@formilux.org
>>> Subject: Re: https with haproxy
>>>
>>> Hi Rezhna,
>>>
>>> Use the "http-request redirect scheme" to do this, as example:
>>> http-request redirect scheme https if ! { ssl_fc }
>>>
>>> It will force HTTPs whatever the hostname is.
>>> As Lukas stated, you have to own the certificate and the frontend /
>>> backend must be in mode http.
>>>
>>> Baptiste
>>>
>>>
>>>
>>> On Sun, Sep 1, 2013 at 4:56 PM, Rezhna Hoshyar
>>>
>>> wrote:
>>> >
>>> > Hi,
>>> >
>>> > Actually we want to apply it for our company web sites.
>>> >
>>> > Rezhna
>>> >
>>> > -Original Message-
>>> > From: Lukas Tribus [mailto:luky...@hotmail.com]
>>> > Sent: Sunday, September 1, 2013 5:44 PM
>>> > To: Rezhna Hoshyar
>>> > Cc: haproxy@formilux.org
>>> > Subject: RE: https with haproxy
>>> >
>>> > Hi,
>>> >
>>> >> My question is about how to use https with haproxy , not avoiding it.
>>> >
RE: https with haproxy
Dear,
Thanks a lot for your reply which I followed and produced the following:
[root@haproxy ~]# ll /etc/haproxy/certs/
total 88
-rw-r--r-- 1 root root 1960 Sep 3 00:46 ca2.crt
-rw-r--r-- 1 root root 3243 Sep 3 00:46 ca2.key
-rw-r--r-- 1 root root 1048 Sep 3 00:46 ca_crl.pem
-rw-r--r-- 1 root root 2029 Sep 3 00:46 ca.crt
-rw-r--r-- 1 root root 3243 Sep 3 00:46 ca.key
-rw-r--r-- 1 root root 3989 Sep 3 00:46 ca.pem
-rw-r--r-- 1 root root 1342 Sep 3 00:46 client1.crt
-rw-r--r-- 1 root root 660 Sep 3 00:46 client1.csr
-rw-r--r-- 1 root root 887 Sep 3 00:46 client1.key
-rw-r--r-- 1 root root 1342 Sep 3 00:46 client2.crt
-rw-r--r-- 1 root root 660 Sep 3 00:46 client2.csr
-rw-r--r-- 1 root root 887 Sep 3 00:46 client2.key
-rw-r--r-- 1 root root 1306 Sep 3 00:46 client_company.crt
-rw-r--r-- 1 root root 660 Sep 3 00:46 client_company.csr
-rw-r--r-- 1 root root 887 Sep 3 00:46 client_company.key
-rw-r--r-- 1 root root 1342 Sep 3 00:46 client_expired.crt
-rw-r--r-- 1 root root 660 Sep 3 00:46 client_expired.csr
-rw-r--r-- 1 root root 887 Sep 3 00:46 client_expired.key
-rw-r--r-- 1 root root 1342 Sep 3 00:46 server.crt
-rw-r--r-- 1 root root 660 Sep 3 00:46 server.csr
-rw-r--r-- 1 root root 891 Sep 3 00:46 server.key
-rw-r--r-- 1 root root 2233 Sep 3 00:46 server.pem
But when I restarted the haproxy , I got the following error:
[root@haproxy haproxy]# service haproxy restart
[ALERT] 245/025407 (2270) : parsing [/etc/haproxy/haproxy.cfg:71] : 'bind
*:443' : unable to load SSL private key from PEM file
'/etc/haproxy/certs/ca_crl.pem'.
[ALERT] 245/025407 (2270) : Error(s) found in configuration file :
/etc/haproxy/haproxy.cfg
[ALERT] 245/025407 (2270) : Proxy 'https_frontend': no SSL certificate
specified for bind '*:443' at [/etc/haproxy/haproxy.cfg:71] (use 'crt').
[ALERT] 245/025407 (2270) : Fatal errors found in configuration.
Errors in configuration file, check with haproxy check.
Thanks for your help my friend
Rezhna
-Original Message-
From: Baptiste [mailto:bed...@gmail.com]
Sent: Monday, September 2, 2013 10:41 PM
To: Nick Jennings
Cc: Rezhna Hoshyar; Lukas Tribus; haproxy@formilux.org
Subject: Re: https with haproxy
Rezhna,
You can start with a script I used when I wrote some blog articles about
HAProxy and SSL:
https://github.com/exceliance/haproxy/tree/master/blog/ssl_client_certificate_management_at_application_level
You'll be able to generate selfsigned certificates.
Good luck,
Baptiste
On Mon, Sep 2, 2013 at 2:59 PM, Nick Jennings wrote:
> http://www.startssl.com
>
>
>
> On Mon, Sep 2, 2013 at 2:51 PM, Rezhna Hoshyar
>
> wrote:
>>
>> Dear,
>>
>> Could you please tell me how I can get free ssl certificate as I
>> tried many ways mentioned on Internet , but none of them were useful
>>
>> Rezhna
>>
>> -Original Message-
>> From: Baptiste [mailto:bed...@gmail.com]
>> Sent: Sunday, September 1, 2013 9:44 PM
>> To: Rezhna Hoshyar
>> Cc: Lukas Tribus; haproxy@formilux.org
>> Subject: Re: https with haproxy
>>
>> Hi Rezhna,
>>
>> Use the "http-request redirect scheme" to do this, as example:
>> http-request redirect scheme https if ! { ssl_fc }
>>
>> It will force HTTPs whatever the hostname is.
>> As Lukas stated, you have to own the certificate and the frontend /
>> backend must be in mode http.
>>
>> Baptiste
>>
>>
>>
>> On Sun, Sep 1, 2013 at 4:56 PM, Rezhna Hoshyar
>>
>> wrote:
>> >
>> > Hi,
>> >
>> > Actually we want to apply it for our company web sites.
>> >
>> > Rezhna
>> >
>> > -Original Message-
>> > From: Lukas Tribus [mailto:luky...@hotmail.com]
>> > Sent: Sunday, September 1, 2013 5:44 PM
>> > To: Rezhna Hoshyar
>> > Cc: haproxy@formilux.org
>> > Subject: RE: https with haproxy
>> >
>> > Hi,
>> >
>> >> My question is about how to use https with haproxy , not avoiding it.
>> >
>> > Compile haproxy 1.5 with SSL support and enable it. You can find
>> > details in doc/ and some generic examples in examples/.
>> >
>> >
>> >
>> >> I can use haproxy to redirect http://google.com to
>> >> http://yahoo.com, but I cannot do that with https://google.com.
>> >
>> > Well, do you have a certificate for google.com (or whatever website
>> > you need to redirect)? You cannot do this without a valid
>> > certificate, otherwise HTTPS would not make any sense.
>> >
>> >
>> >
>> > Regards,
>> >
>> > Lukas
>> >
>> > --
>> > This message has been scanned for viruses and dangerous content by
>> > MailScanner, and is believed to be clean.
>> >
>> >
>>
>> --
>> This message has been scanned for viruses and dangerous content by
>> MailScanner, and is believed to be clean.
>>
>>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: https with haproxy
Rezhna,
You can start with a script I used when I wrote some blog articles
about HAProxy and SSL:
https://github.com/exceliance/haproxy/tree/master/blog/ssl_client_certificate_management_at_application_level
You'll be able to generate selfsigned certificates.
Good luck,
Baptiste
On Mon, Sep 2, 2013 at 2:59 PM, Nick Jennings wrote:
> http://www.startssl.com
>
>
>
> On Mon, Sep 2, 2013 at 2:51 PM, Rezhna Hoshyar
> wrote:
>>
>> Dear,
>>
>> Could you please tell me how I can get free ssl certificate as I tried
>> many ways mentioned on Internet , but none of them were useful
>>
>> Rezhna
>>
>> -Original Message-
>> From: Baptiste [mailto:bed...@gmail.com]
>> Sent: Sunday, September 1, 2013 9:44 PM
>> To: Rezhna Hoshyar
>> Cc: Lukas Tribus; haproxy@formilux.org
>> Subject: Re: https with haproxy
>>
>> Hi Rezhna,
>>
>> Use the "http-request redirect scheme" to do this, as example:
>> http-request redirect scheme https if ! { ssl_fc }
>>
>> It will force HTTPs whatever the hostname is.
>> As Lukas stated, you have to own the certificate and the frontend /
>> backend must be in mode http.
>>
>> Baptiste
>>
>>
>>
>> On Sun, Sep 1, 2013 at 4:56 PM, Rezhna Hoshyar
>> wrote:
>> >
>> > Hi,
>> >
>> > Actually we want to apply it for our company web sites.
>> >
>> > Rezhna
>> >
>> > -Original Message-
>> > From: Lukas Tribus [mailto:luky...@hotmail.com]
>> > Sent: Sunday, September 1, 2013 5:44 PM
>> > To: Rezhna Hoshyar
>> > Cc: haproxy@formilux.org
>> > Subject: RE: https with haproxy
>> >
>> > Hi,
>> >
>> >> My question is about how to use https with haproxy , not avoiding it.
>> >
>> > Compile haproxy 1.5 with SSL support and enable it. You can find details
>> > in doc/ and some generic examples in examples/.
>> >
>> >
>> >
>> >> I can use haproxy to redirect http://google.com to http://yahoo.com,
>> >> but I cannot do that with https://google.com.
>> >
>> > Well, do you have a certificate for google.com (or whatever website you
>> > need to redirect)? You cannot do this without a valid certificate,
>> > otherwise
>> > HTTPS would not make any sense.
>> >
>> >
>> >
>> > Regards,
>> >
>> > Lukas
>> >
>> > --
>> > This message has been scanned for viruses and dangerous content by
>> > MailScanner, and is believed to be clean.
>> >
>> >
>>
>> --
>> This message has been scanned for viruses and
>> dangerous content by MailScanner, and is
>> believed to be clean.
>>
>>
>
Re: https with haproxy
http://www.startssl.com
On Mon, Sep 2, 2013 at 2:51 PM, Rezhna Hoshyar wrote:
> Dear,
>
> Could you please tell me how I can get free ssl certificate as I tried
> many ways mentioned on Internet , but none of them were useful
>
> Rezhna
>
> -Original Message-
> From: Baptiste [mailto:bed...@gmail.com]
> Sent: Sunday, September 1, 2013 9:44 PM
> To: Rezhna Hoshyar
> Cc: Lukas Tribus; haproxy@formilux.org
> Subject: Re: https with haproxy
>
> Hi Rezhna,
>
> Use the "http-request redirect scheme" to do this, as example:
> http-request redirect scheme https if ! { ssl_fc }
>
> It will force HTTPs whatever the hostname is.
> As Lukas stated, you have to own the certificate and the frontend /
> backend must be in mode http.
>
> Baptiste
>
>
>
> On Sun, Sep 1, 2013 at 4:56 PM, Rezhna Hoshyar
> wrote:
> >
> > Hi,
> >
> > Actually we want to apply it for our company web sites.
> >
> > Rezhna
> >
> > -Original Message-
> > From: Lukas Tribus [mailto:luky...@hotmail.com]
> > Sent: Sunday, September 1, 2013 5:44 PM
> > To: Rezhna Hoshyar
> > Cc: haproxy@formilux.org
> > Subject: RE: https with haproxy
> >
> > Hi,
> >
> >> My question is about how to use https with haproxy , not avoiding it.
> >
> > Compile haproxy 1.5 with SSL support and enable it. You can find details
> in doc/ and some generic examples in examples/.
> >
> >
> >
> >> I can use haproxy to redirect http://google.com to http://yahoo.com,
> >> but I cannot do that with https://google.com.
> >
> > Well, do you have a certificate for google.com (or whatever website you
> need to redirect)? You cannot do this without a valid certificate,
> otherwise HTTPS would not make any sense.
> >
> >
> >
> > Regards,
> >
> > Lukas
> >
> > --
> > This message has been scanned for viruses and dangerous content by
> > MailScanner, and is believed to be clean.
> >
> >
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
>
RE: https with haproxy
Dear,
Could you please tell me how I can get free ssl certificate as I tried many
ways mentioned on Internet , but none of them were useful
Rezhna
-Original Message-
From: Baptiste [mailto:bed...@gmail.com]
Sent: Sunday, September 1, 2013 9:44 PM
To: Rezhna Hoshyar
Cc: Lukas Tribus; haproxy@formilux.org
Subject: Re: https with haproxy
Hi Rezhna,
Use the "http-request redirect scheme" to do this, as example:
http-request redirect scheme https if ! { ssl_fc }
It will force HTTPs whatever the hostname is.
As Lukas stated, you have to own the certificate and the frontend / backend
must be in mode http.
Baptiste
On Sun, Sep 1, 2013 at 4:56 PM, Rezhna Hoshyar wrote:
>
> Hi,
>
> Actually we want to apply it for our company web sites.
>
> Rezhna
>
> -Original Message-
> From: Lukas Tribus [mailto:luky...@hotmail.com]
> Sent: Sunday, September 1, 2013 5:44 PM
> To: Rezhna Hoshyar
> Cc: haproxy@formilux.org
> Subject: RE: https with haproxy
>
> Hi,
>
>> My question is about how to use https with haproxy , not avoiding it.
>
> Compile haproxy 1.5 with SSL support and enable it. You can find details in
> doc/ and some generic examples in examples/.
>
>
>
>> I can use haproxy to redirect http://google.com to http://yahoo.com,
>> but I cannot do that with https://google.com.
>
> Well, do you have a certificate for google.com (or whatever website you need
> to redirect)? You cannot do this without a valid certificate, otherwise HTTPS
> would not make any sense.
>
>
>
> Regards,
>
> Lukas
>
> --
> This message has been scanned for viruses and dangerous content by
> MailScanner, and is believed to be clean.
>
>
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Re: https with haproxy
Hi Rezhna,
Use the "http-request redirect scheme" to do this, as example:
http-request redirect scheme https if ! { ssl_fc }
It will force HTTPs whatever the hostname is.
As Lukas stated, you have to own the certificate and the frontend /
backend must be in mode http.
Baptiste
On Sun, Sep 1, 2013 at 4:56 PM, Rezhna Hoshyar wrote:
>
> Hi,
>
> Actually we want to apply it for our company web sites.
>
> Rezhna
>
> -Original Message-
> From: Lukas Tribus [mailto:luky...@hotmail.com]
> Sent: Sunday, September 1, 2013 5:44 PM
> To: Rezhna Hoshyar
> Cc: haproxy@formilux.org
> Subject: RE: https with haproxy
>
> Hi,
>
>> My question is about how to use https with haproxy , not avoiding it.
>
> Compile haproxy 1.5 with SSL support and enable it. You can find details in
> doc/ and some generic examples in examples/.
>
>
>
>> I can use haproxy to redirect http://google.com to http://yahoo.com,
>> but I cannot do that with https://google.com.
>
> Well, do you have a certificate for google.com (or whatever website you need
> to redirect)? You cannot do this without a valid certificate, otherwise HTTPS
> would not make any sense.
>
>
>
> Regards,
>
> Lukas
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
>
>
RE: https with haproxy
Hi, Actually we want to apply it for our company web sites. Rezhna -Original Message- From: Lukas Tribus [mailto:luky...@hotmail.com] Sent: Sunday, September 1, 2013 5:44 PM To: Rezhna Hoshyar Cc: haproxy@formilux.org Subject: RE: https with haproxy Hi, > My question is about how to use https with haproxy , not avoiding it. Compile haproxy 1.5 with SSL support and enable it. You can find details in doc/ and some generic examples in examples/. > I can use haproxy to redirect http://google.com to http://yahoo.com, > but I cannot do that with https://google.com. Well, do you have a certificate for google.com (or whatever website you need to redirect)? You cannot do this without a valid certificate, otherwise HTTPS would not make any sense. Regards, Lukas -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: https with haproxy
Hi, > My question is about how to use https with haproxy , not avoiding it. Compile haproxy 1.5 with SSL support and enable it. You can find details in doc/ and some generic examples in examples/. > I can use haproxy to redirect http://google.com to http://yahoo.com, but > I cannot do that with https://google.com. Well, do you have a certificate for google.com (or whatever website you need to redirect)? You cannot do this without a valid certificate, otherwise HTTPS would not make any sense. Regards, Lukas
RE: https with haproxy
Dear, Thanks for your reply. My question is about how to use https with haproxy , not avoiding it. for example: , I can use haproxy to redirect http://google.com to http://yahoo.com , but I cannot do that with https://google.com. I tried to do that with mode tcp but it did not work also. Rezhna -Original Message- From: Lukas Tribus [mailto:luky...@hotmail.com] Sent: Sunday, September 1, 2013 1:36 PM To: Rezhna Hoshyar Cc: haproxy@formilux.org Subject: RE: https with haproxy Hi Rezhna, > I am the Linux Administrator of Fanoos Telec company in Iraq and I am > planning to use haproxy as proxy - load balancer in our company , but > the problem is I cannot use it with (https) just http so could you > please help me with this issue? If I understand correctly, your question is howto avoid https with HAProxy? Thats simple: don't compile ith with SSL support and don't use the ssl keywords in the configuration. Better yet: use 1.4 stable, it has no SSL support at all. Regards, Lukas -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
RE: https with haproxy
Hi Rezhna, > I am the Linux Administrator of Fanoos Telec company in Iraq and I am > planning to use haproxy as proxy – load balancer in our company , but > the problem is I cannot use it with (https) just http so could you > please help me with this issue? If I understand correctly, your question is howto avoid https with HAProxy? Thats simple: don't compile ith with SSL support and don't use the ssl keywords in the configuration. Better yet: use 1.4 stable, it has no SSL support at all. Regards, Lukas
