@Peter wrote:
Hello,
We have implemented HAProxy as replacement loadbalancer for AWS Application Loadbalancer.
However after some complaints about missing visitors from our customers after switching to HAProxy, we investigated some logs and see a lot of SSL handshake failure errors:Sep 4 14:18:46 loadbalancer haproxy[21591]: 106.222.222.189:55618 [04/Sep/2018:14:18:36.747] secure-http-in/1: SSL handshake failure
Sep 4 14:18:46 loadbalancer haproxy[21591]: 223.186.100.116:4945 [04/Sep/2018:14:18:35.370] secure-http-in/1: SSL handshake failure
Sep 4 14:18:47 loadbalancer haproxy[21591]: 106.207.103.103:21626 [04/Sep/2018:14:18:23.376] secure-http-in/1: SSL handshake failure
Sep 4 14:18:47 loadbalancer haproxy[21591]: 223.184.31.51:15289 [04/Sep/2018:14:18:27.450] secure-http-in/1: SSL handshake failure
Sep 4 14:18:47 loadbalancer haproxy[21591]: 106.220.80.243:14583 [04/Sep/2018:14:18:29.926] secure-http-in/1: SSL handshake failure
Sep 4 14:18:47 loadbalancer haproxy[21591]: 223.237.203.143:56317 [04/Sep/2018:14:18:27.836] secure-http-in/1: SSL handshake failure
Sep 4 14:18:48 loadbalancer haproxy[21591]: 106.203.140.9:2597 [04/Sep/2018:14:18:30.263] secure-http-in/1: SSL handshake failureThe version we are running:
# haproxy -vv
HA-Proxy version 1.8.13-1ppa1~bionic 2018/08/01Our setup is as follows: we have 3 haproxy instances in different regions for high availability. Combined with Route53 health checks, we try to make sure that a failing loadbalancer is affordable.
Using letsencrypt we have created multiple certificates which are shared between the loadbalancers. We have 2 listners, 1 for HTTP and 1 for HTTPS. Depending on the requested hostname, we load different sets of backends. Below our configuration
global log /dev/log local1 notice chroot /var/lib/haproxy user haproxy group haproxy daemon nbproc 1 nbthread 8 cpu-map auto:1/1-36 0-35 maxconn 1000000 tune.ssl.cachesize 1000000 tune.ssl.default-dh-param 2048 ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlog-normal option log-separate-errors option dontlognull option http-keep-alive option log-health-checks option redispatch timeout http-keep-alive 60s timeout connect 3100 # 3.1 second timeout client 30s timeout server 30s maxconn 500000 retries 2 frontend secure-http-in bind *:443 ssl crt-list /etc/haproxy/cert-list.txt alpn h2,http/1.1 mode http maxconn 1000000 acl is_zone_a.com hdr_end(host) -i a.com use_backend backend_app1 if is_zone_a.com acl is_zone_b.com hdr_end(host) -i b.com use_backend backend_app2 if is_zone_b.com frontend http-in bind *:80 mode http maxconn 1000000 acl is_zone_a.com hdr_end(host) -i a.com use_backend backend_app1 if is_zone_a.com acl is_zone_b.com hdr_end(host) -i b.com use_backend backend_app2 if is_zone_b.com backend backend_app1 mode http balance roundrobin http-reuse always option httpchk GET /health.php http-check expect status 200 default-server slowstart 30s check inter 10s fall 3 rise 3 cookie DSALB insert dynamic dynamic-cookie-key MYKEY server srv1 172.16.10.1:80 server srv2 172.16.10.2:80 server srv3 172.16.10.3:80 backend backend_app2 mode http balance roundrobin http-reuse always option httpchk GET /health.php http-check expect status 200 default-server slowstart 30s check inter 10s fall 3 rise 3 cookie DSALB insert dynamic dynamic-cookie-key MYKEY server srv4 172.16.10.4:80 server srv5 172.16.10.5:80 server srv6 172.16.10.6:80Is there anyone having similar issues or can help us into the right direction? Thanks in advance!
Posts: 5
Participants: 2