HAProxy as TCP load balancer (SSL passthrough) not working?
ew, i made it working by adding this in the frontend (after looking at this post:)
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
the thing is, i don't know what these options are doing.. or why i need to specify them. does it mean that the HAProxy default behavior is to reject anything ?
Related videos on Youtube
olivierg
I currently work as the head of IT infrastructure in a private bank in Monaco I have been working as a Systems Engineer for about 15 years, mostly on Unix/Solaris. I am experienced on all the technologies & protocols mentioned below: Solaris, Unix, Linux, VMware vSphere/ESXi, Syslog, Syslog-NG, DNS, TCP/IP, Kerberos, LDAP, PowerBroker, Oracle Databases, Oracle Internet Directory (OID), RMAN, WebSphere Application Server, WebSphere MQ, Tomcat, Apache, Shellscript, Perl, PHP, MySQL, ITIL, Interoperability You can reach me at olivier dot griffin at gmail dot com
Updated on September 18, 2022Comments
-
olivierg over 1 year
i am having some trouble setting up HAProxy as a TCP load balancer (layer 4) and i would like to have your advice about it.
i've been following many guides on the web and i came up with this configuration (not showing any errors in the logs, it starts well) :
note : real domain names are masked
#--------------------------------------------------------------------- # Global settings #--------------------------------------------------------------------- global daemon user haproxy group haproxy log /dev/log local6 debug maxconn 50000 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid #--------------------------------------------------------------------- # common defaults #--------------------------------------------------------------------- defaults mode tcp log global option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 #--------------------------------------------------------------------- # dedicated stats page #--------------------------------------------------------------------- listen stats mode http bind :22222 stats enable stats uri /haproxy?stats stats realm Haproxy\ Statistics stats auth xxxxxx:xxxxxxxx stats refresh 30s #--------------------------------------------------------------------- # main frontend which proxys to the backends #--------------------------------------------------------------------- frontend main_https_listen bind *:443 mode tcp option tcplog # ------------------------------- # ACLs - SIT # ------------------------------- acl acl_SIT_CI5 req.ssl_sni -i url1.domain.net acl acl_SIT_HR8 req.ssl_sni -i url2.domain.net # ------------------------------- # Conditions - SIT # ------------------------------- use_backend backend_SIT_CI5 if acl_SIT_CI5 use_backend backend_SIT_HR8 if acl_SIT_HR8 #--------------------------------------------------------------------- # Backends #--------------------------------------------------------------------- backend backend_SIT_CI5 mode tcp balance source option ssl-hello-chk server server_SIT_CI5_1 host1.domain.net:443 check server server_SIT_CI5_2 host2.domain.net:443 check backend backend_SIT_HR8 mode tcp balance source option ssl-hello-chk server server_SIT_HR8_1 host1.domain.net:443 check server server_SIT_HR8_2 host2.domain.net:443 check
i've pointed host1.domain.net to my haproxy vIP (it has a keepalived configuration behind with a Virtual IP).
now when accessing https://url1.domain.net (or even https://loadbalancerURL but i assume this is normal on that one) i have an error This page can't be displayed. Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://host1.domain.net again.
a single openssl s_client gives a ssl handshake failure (no certificates blabla).
do you have any idea of what i did wrong ? also, do i need to setup some certificates as i'm listening on 443 ? (even if i don't want these certs to be decrypted or whatever as i only want my HAProxy to act as a proxy).
i also tried to activate debug mode for logging but it didnt show any errors (nor new logs)
note : the backends are located behind firewalls, the communication between backends to HAProxy is not opened on 443 (only FROM Haproxy to the backends), does it need to be directional ? and why ?
note2: in haproxy stats, i can see all backends UP
also, is there a way to know/check if a redirection based on hostname (SNI) is working fine or not ? (i have the impression that the connection stays at the load balancer and is not redirected to the backend, and this is why i have an error)
a haproxy -vv gives :
HA-Proxy version 1.5.18 2016/05/10 Copyright 2000-2016 Willy Tarreau <[email protected]> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18 OPTIONS = USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017 Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.32 2012-11-30 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll.
-
Admin almost 2 yearsthank you Malcolm