How to do server fixation with HAProxy through HTTPS
When you create an HTTPS proxy (depending on what version of HAProxy you are using, and if it has SSL support compiled in), you have 2 different ways of handling the traffic.
One is the route you took with this config -- Make it a straight TCP proxy, and pass the traffic right through to the backend server without doing any Layer7 processing.
mode tcp
When in tcp mode, you won't be able to use any options that are specifically for http proxies -- in your case, you'd lose the stats endpoint, the cookie processing, the insertion of the 'X-Forwarded-For' header, etc. The warnings are in place to just let you know that this proxy will still function, but it probably won't operate as you are expecting, since you use options that are specific only to http proxies.
The other route you could take, is to terminate the SSL on the HAProxy server. In this scenario, you have HTTPS traffic between your client and HAProxy, and (typically) unencrypted HTTP traffic between HAProxy and your backend servers. If you were going to do the SSL termination in HAProxy itself, and not with something like pound, then you would need to be running v1.5 with SSL support compiled in. Your resulting proxy config could look something like the following.
listen appname
bind 0.0.0.0:80
bind 0.0.0.0:443 ssl crt /path/to/your/cert.pem ciphers TLSv1+HIGH:!SSLv2:RC4+MEDIUM:!aNULL:!eNULL:!3DES:@STRENGTH
mode http
stats enable
stats uri /haproxy?stats
stats realm Strictly\ Private
stats auth admin:XXXXXXXX
balance roundrobin
option http-server-close
timeout http-keep-alive 3000
option forwardfor
cookie SRVNAME insert
server lamp1 10.128.24.97:80 cookie S1 check
server lamp2 10.128.24.98:80 cookie S2 check
A couple of notes on this. This listen directive is actually lumping both the HTTP and the HTTPS proxies into the same one. It could just as easily be split back up, but unless it's required, I like to keep things a little cleaner like this. Also, the "ciphers" options are configurable to your liking or application -- I'm no SSL expert, but those options are what work for me, so I figured I'd include them.
Related videos on Youtube
![Daniel Luca CleanUnicorn](https://i.stack.imgur.com/Q4asV.jpg?s=256&g=1)
Comments
-
Daniel Luca CleanUnicorn almost 2 years
I previously created a loadbalancer for web servers in HAProxy, but that one was HTTP, not HTTPS.
This is he config I previously used.
listen appname 0.0.0.0:80 mode http stats enable stats uri /haproxy?stats stats realm Strictly\ Private stats auth admin:XXXXXXXX balance roundrobin option http-server-close timeout http-keep-alive 3000 option forwardfor cookie SRVNAME insert server lamp1 10.128.24.97:80 cookie S1 check server lamp2 10.128.24.98:80 cookie S2 check
I don't know how to rewrite this config to make the requests to port 443 available to the servers behind HAProxy. I copied the previous one and changed the port to 443. However I get a lot of errors. How can I translate the config to be valid for a HTTPS / SSL connection?
listen httpsapp 0.0.0.0:443 mode tcp stats enable stats uri /haproxy?stats stats realm Strictly\ Private stats auth admin:XXXXXXXXXXX balance roundrobin option http-server-close timeout http-keep-alive 3000 option forwardfor cookie SRVNAME insert server lamp1 10.128.24.97:443 cookie S1 check server lamp2 10.128.24.98:443 cookie S2 check
I get the warnings when I restart HAProxy
[WARNING] 007/090716 (2409) : config : cookie will be ignored for proxy 'httpsapp' (needs 'mode http'). [WARNING] 007/090716 (2409) : config : 'option httplog' not usable with proxy 'httpsapp' (needs 'mode http'). Falling back to 'option tcplog'. [WARNING] 007/090716 (2409) : config : 'stats' statement ignored for proxy 'httpsapp' as it requires HTTP mode. [WARNING] 007/090716 (2409) : config : 'option forwardfor' ignored for proxy 'httpsapp' as it requires HTTP mode. [WARNING] 007/090716 (2409) : config : 'option http-server-close' ignored for proxy 'httpsapp' as it requires HTTP mode. [WARNING] 007/090716 (2409) : config : proxy 'httpsapp' : ignoring cookie for server 'lamp1' as HTTP mode is disabled. [WARNING] 007/090716 (2409) : config : proxy 'httpsapp' : ignoring cookie for server 'lamp2' as HTTP mode is disabled.
-
Eamorr over 9 yearsI cannot tell you how helpful this is. On Ubuntu 14.04.1 LTS. The standard repo only has haproxy 1.4.24. You need to upgrade haproxy to at least 1.5. I used using a PPA (
sudo add-apt-repository ppa:vbernat/haproxy-1.5
).