@jasetheace wrote:

Hello. I’m rather new to HA Proxy, and I’m having issues getting SSL Passthrough working. I have narrowed my configuration to demonstrate the issue (redacted):

`# frontend specific configuration
frontend http-in
mode tcp

    #bind *:443 ssl crt /etc/haproxy/certs
    bind *:443
    no option httpclose
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    # define a default backend
    default_backend servers

backend specific configuration

backend servers
mode tcp
option log-health-checks
balance leastconn

    # define health check using HTTP OPTIONS call
    option httpchk OPTIONS / HTTP/1.1

    server svr1 1.2.3.4:18082 check ssl verify required verifyhost example1.com ca-file /etc/haproxy/backend-trust-ca/backend-trust-ca.pem
    #server svr1 1.2.3.4:18082`

Testing with curl, I get an error:

$ curl -I https://example.com/ curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol $

The backend check works, as I see this in the logs:

[WARNING] 077/095549 (25563) : Health check for server servers/svr1 succeeded, reason: Layer7 check passed, code: 200, info: "OK", check duration: 3ms, status: 3/3 UP.

And I can see in the status page that it shows as active up too.

I can get it to work if I change the binding on the front end to do ssl (see it commented out above). But if I understand things properly, that will decrypt the SSL, instead of simply passing the tcp connection on to the back end. And I can also get it to work if I remove the check from the back end (see it commented out above). But I really need to be able to do these checks to make sure that the backend servers are healthy. When I make one of those changes, with curl I get:

ssa-syr-taz:~$ curl -I https://example.com/ HTTP/1.1 405 Method Not Allowed [snip]

It almost seems like either of those changes puts haproxy into http mode. In fact, it works if I configure haproxy to use http mode. But I do not want to decrypt the session in haproxy.

Running haproxy in debug mode does not seem to show a difference between a curl connection that works and one that does not.

00000003:http-in.accept(0007)=000d from [1.2.3.10:54194] ALPN=<none> 00000003:servers.srvcls[adfd:adfd] 00000003:servers.clicls[adfd:adfd] 00000003:servers.closed[adfd:adfd]

A packet capture of the failure shows haproxy resetting the connection:

11:06:32.875119 IP 1.2.3.10.54244 > 1.2.3.7.443: Flags [S], seq 2513995732, win 29200, options [mss 1460,sackOK,TS val 788408339 ecr 0,nop,wscale 7], length 0 11:06:32.875154 IP 1.2.3.7.443 > 1.2.3.10.54244: Flags [R.], seq 0, ack 2513995733, win 0, length 0

I’m running version 2.0.13.

‘haproxy -v
HA-Proxy version 2.0.13-1~bpo10+1 2020/02/15 - https://haproxy.org/’

I suspect either I’m trying to do something that is not supported, or I have something misconfigured. Any help of things to try or ways to get additional logs / debugging would be great. Thank you!

Posts: 1

Participants: 1

Read full topic