Hi,
I think/hope I am trying to do something relatively simple:
- I have one HAProxy (2.1) running on
127.0.0.1:8181 - I have a service which speaks http2 (with SSL), running on
127.0.0.1:9001
My goal is to route traffic via the HAProxy to my service/backend. If this was HTTP 1.1, I would call it SSL passthrough. The service itself, sets up certs, etc… It’s a third party agent written in Golang. There’s no Let’s Encrypt or anything. The certificates are self-signed, hence -k in my curl examples below.
Here is my HAProxy configuration:
global
daemon
maxconn 256
log-send-hostname
defaults
mode tcp
option http-use-htx
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend h2-in
bind *:8181
mode tcp
default_backend servers
backend servers
server agent 127.0.0.1:9001 check
(Stats report the backend to be available.)
When I access the service via HAProxy, I get the following error:
❯ curl -k -v --tlsv1.2 https://127.0.0.1:8181/ping
* Trying 127.0.0.1:8181...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8181 (#0)
* ALPN, offering http/1.1
* WARNING: disabling hostname validation also disables SNI.
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake
When I access the service directly via curl, it responds (204):
❯ curl -k -v --tlsv1.2 https://127.0.0.1:9001/ping
* Trying 127.0.0.1:9001...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 9001 (#0)
* ALPN, offering http/1.1
* WARNING: disabling hostname validation also disables SNI.
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: X509 Certificate
> GET /ping HTTP/1.1
> Host: 127.0.0.1:9001
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 204 No Content
< Date: Mon, 01 Jun 2020 13:41:52 GMT
<
* Connection #0 to host 127.0.0.1 left intact
Can anyone take a look at my configuration and tell me what I am doing wrong?
2 posts - 1 participant