TCP Proxy faild after enable httpchk

@the_Uli wrote:

Dear HAProxy community,

I get an strange problem with my TCP Proxy config.
My healthceck works and the backend servers is online at the HAProxy stats page.

But I get this error at my webbrowser “SSL_ERROR_RX_RECORD_TOO_LONG”
If I remove “ssl verify none” and the “httpchk” the TCP Proxy works fine and the website goes online.

My Problem now, I need to check the backend with the http status and need the TCP Proxy (proprietary backend…)

frontend ft_webapp_tcp
bind *:443 name https
default_backend bk_webapp_tcp

backend bk_webapp_tcp
mode tcp
balance roundrobin
option httpchk GET /webapp/check.html
http-check expect status 200

server web1 192.168.10.104:443 maxconn 10000 check ssl verify none
server web2 192.168.10.105:443 maxconn 10000 check ssl verify none

Wirehsark Response
(ClientIP) -> (HAProxy IP) -> TLSv1 -> Client Hello
(HAProxy IP) -> (ClientIP) -> HTTP -> HTTP/1.1 400 Bad Request (text/html)

does one have an idea?

HA-Proxy version 1.8.8-1ubuntu0.2 2018/10/02
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>

    Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -g -O2 -fdebug-prefix-map=/build/haproxy-1p70ey/haproxy-1.8.8=. -fstack-protector-strong     -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1     USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_NS=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
  
Built with OpenSSL version : OpenSSL 1.1.0g  2 Nov 2017
Running on OpenSSL version : OpenSSL 1.1.0g  2 Nov 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

    Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [SPOE] spoe
        [COMP] compression
        [TRACE] trace

best regards,
the_Uli

Posts: 4

Participants: 2

Read full topic