How to do server fixation with HAProxy through HTTPS

ssl load-balancer
12,003

When you create an HTTPS proxy (depending on what version of HAProxy you are using, and if it has SSL support compiled in), you have 2 different ways of handling the traffic.

One is the route you took with this config -- Make it a straight TCP proxy, and pass the traffic right through to the backend server without doing any Layer7 processing.

mode tcp

When in tcp mode, you won't be able to use any options that are specifically for http proxies -- in your case, you'd lose the stats endpoint, the cookie processing, the insertion of the 'X-Forwarded-For' header, etc. The warnings are in place to just let you know that this proxy will still function, but it probably won't operate as you are expecting, since you use options that are specific only to http proxies.

The other route you could take, is to terminate the SSL on the HAProxy server. In this scenario, you have HTTPS traffic between your client and HAProxy, and (typically) unencrypted HTTP traffic between HAProxy and your backend servers. If you were going to do the SSL termination in HAProxy itself, and not with something like pound, then you would need to be running v1.5 with SSL support compiled in. Your resulting proxy config could look something like the following.

listen appname
  bind 0.0.0.0:80
  bind 0.0.0.0:443 ssl crt /path/to/your/cert.pem ciphers TLSv1+HIGH:!SSLv2:RC4+MEDIUM:!aNULL:!eNULL:!3DES:@STRENGTH
  mode http
  stats enable
  stats uri /haproxy?stats
  stats realm Strictly\ Private
  stats auth admin:XXXXXXXX
  balance roundrobin
  option http-server-close
  timeout http-keep-alive 3000
  option forwardfor
  cookie SRVNAME insert
  server lamp1 10.128.24.97:80 cookie S1 check
  server lamp2 10.128.24.98:80 cookie S2 check

A couple of notes on this. This listen directive is actually lumping both the HTTP and the HTTPS proxies into the same one. It could just as easily be split back up, but unless it's required, I like to keep things a little cleaner like this. Also, the "ciphers" options are configurable to your liking or application -- I'm no SSL expert, but those options are what work for me, so I figured I'd include them.

Share:
12,003

Related videos on Youtube

Daniel Luca CleanUnicorn
Author by

Daniel Luca CleanUnicorn

Button pusher

Updated on September 18, 2022

Comments

  • Daniel Luca CleanUnicorn
    Daniel Luca CleanUnicorn almost 2 years

    I previously created a loadbalancer for web servers in HAProxy, but that one was HTTP, not HTTPS.

    This is he config I previously used.

    listen appname 0.0.0.0:80
    mode http
    stats enable
    stats uri /haproxy?stats
    stats realm Strictly\ Private
    stats auth admin:XXXXXXXX
    balance roundrobin
    option http-server-close
    timeout http-keep-alive 3000
    option forwardfor
    cookie SRVNAME insert
    server lamp1 10.128.24.97:80 cookie S1 check
    server lamp2 10.128.24.98:80 cookie S2 check

    I don't know how to rewrite this config to make the requests to port 443 available to the servers behind HAProxy. I copied the previous one and changed the port to 443. However I get a lot of errors. How can I translate the config to be valid for a HTTPS / SSL connection?

    listen httpsapp 0.0.0.0:443
    mode tcp
    stats enable
    stats uri /haproxy?stats
    stats realm Strictly\ Private
    stats auth admin:XXXXXXXXXXX
    balance roundrobin
    option http-server-close
    timeout http-keep-alive 3000
    option forwardfor
    cookie SRVNAME insert
    server lamp1 10.128.24.97:443 cookie S1 check
    server lamp2 10.128.24.98:443 cookie S2 check

    I get the warnings when I restart HAProxy

    [WARNING] 007/090716 (2409) : config : cookie will be ignored for proxy 'httpsapp' (needs 'mode http').
[WARNING] 007/090716 (2409) : config : 'option httplog' not usable with proxy 'httpsapp' (needs 'mode http'). Falling back to 'option tcplog'.
[WARNING] 007/090716 (2409) : config : 'stats' statement ignored for proxy 'httpsapp' as it requires HTTP mode.
[WARNING] 007/090716 (2409) : config : 'option forwardfor' ignored for proxy 'httpsapp' as it requires HTTP mode.
[WARNING] 007/090716 (2409) : config : 'option http-server-close' ignored for proxy 'httpsapp' as it requires HTTP mode.
[WARNING] 007/090716 (2409) : config : proxy 'httpsapp' : ignoring cookie for server 'lamp1' as HTTP mode is disabled.
[WARNING] 007/090716 (2409) : config : proxy 'httpsapp' : ignoring cookie for server 'lamp2' as HTTP mode is disabled.
  • Eamorr
    Eamorr over 9 years
    I cannot tell you how helpful this is. On Ubuntu 14.04.1 LTS. The standard repo only has haproxy 1.4.24. You need to upgrade haproxy to at least 1.5. I used using a PPA (sudo add-apt-repository ppa:vbernat/haproxy-1.5).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Admob in flutter app: "Error while connecting to ad server: SSL handshake aborted"
Firebase Hosted flutter app shows not a secure connection error when launching an external URL
How to Bypass SSL Certificate Verification in flutter?
Flutter Websocket client ssl handshake failure
Handshake error in client : CERTIFICATE_VERIFY_FAILED Self signed certificate in flutter
Conveyor with Flutter - Handshake error when running .net web app locally
Self-signed cert for gRPC on Flutter
Cannot connect to wss with Flutter
Why i'm getting WRONG_VERSION_NUMBER when making a POST request to a HTTPS Server?
webview_flutter "Failed to validate the certificate chain" SSL handshake failed error