SSH termination config invalid after upgrade

I’ve been using HAProxy for SSL termination and reverse proxy on 1.5 for a while and have been trying to upgrade to 1.8.30 as a stepping stone to upgrading to 2.4. The installation was successful but HAProxy won’t start due to the following config file issues:

[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:16] : unknown keyword 'tune.ssl.default-dh-param' in 'global' section
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:17] : unknown keyword 'ssl-default-bind-ciphers' in 'global' section
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:18] : unknown keyword 'ssl-default-bind-options' in 'global' section
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:50] : 'listen' cannot handle unexpected argument '*:8080'.
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:50] : please use the 'bind' keyword for listening addresses.
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:85] : 'bind *:443' unknown keyword 'ssl'. Registered keywords :
    [STAT] level <arg>
    [STAT] expose-fd <arg>
    [STAT] severity-output <arg>
    [ TCP] defer-accept
    [ TCP] interface <arg>
    [ TCP] mss <arg>
    [ TCP] tcp-ut <arg>
    [ TCP] tfo
    [ TCP] transparent
    [ TCP] v4v6
    [ TCP] v6only
    [ ALL] accept-netscaler-cip <arg>
    [ ALL] accept-proxy
    [ ALL] backlog <arg>
    [ ALL] id <arg>
    [ ALL] maxconn <arg>
    [ ALL] name <arg>
    [ ALL] nice <arg>
    [ ALL] process <arg>
    [UNIX] gid <arg>
    [UNIX] group <arg>
    [UNIX] mode <arg>
    [UNIX] uid <arg>
    [UNIX] user <arg>
[WARNING] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:95] : a 'http-request' rule placed after a 'reqadd' rule will still be processed before.
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:115] : error detected in backend 'mydomain.com' while parsing redirect rule : error in condition: unknown fetch method 'ssl_fc' in ACL expression 'ssl_fc'.
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:128] : error detected in backend 'manage.mydomain.com' while parsing redirect rule : error in condition: unknown fetch method 'ssl_fc' in ACL expression 'ssl_fc'.
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:141] : error detected in backend 'my.mydomain.com' while parsing redirect rule : error in condition: unknown fetch method 'ssl_fc' in ACL expression 'ssl_fc'.
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:152] : error detected in backend 'api.mydomain.com' while parsing redirect rule : error in condition: unknown fetch method 'ssl_fc' in ACL expression 'ssl_fc'.
[ALERT] 230/113800 (7902) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 230/113800 (7902) : Fatal errors found in configuration.

(I’ve hidden my actual domain)

My config file (which worked on 1.5) is as follows. All connections for my subdomains arrive at HAProxy, where SSL is terminated and requests are proxied to the appropriate web server.

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    log         127.0.0.1 local2     #Log configuration

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy             #Haproxy running under user and group "haproxy"
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats mode 600 level admin
    tune.ssl.default-dh-param 2048
    ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11


#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    15s
    timeout queue           30s
    timeout connect         5s
    timeout client          25s
    timeout server          5m
    timeout http-keep-alive 1s
    timeout check           10s
    timeout tunnel          3600s
    timeout tarpit          60s
    backlog                 10000
    maxconn                 3000

#---------------------------------------------------------------------
#HAProxy Monitoring Config
#---------------------------------------------------------------------
listen haproxy3-monitoring *:8080                #Haproxy Monitoring run on port 8080
    mode http
    option forwardfor
    option httpclose
    stats enable
    stats show-legends
    stats refresh 5s
    stats uri /stats                             #URL for HAProxy monitoring
    stats realm Haproxy\ Statistics
    stats admin if TRUE

#---------------------------------------------------------------------
# FrontEnd Configuration
#---------------------------------------------------------------------
frontend www-http
    bind *:80
    reqadd X-Forwarded-Proto:\ http
    option http-server-close
    option forwardfor
    acl website_www hdr(host) -i www.staging.mydomain.com
    acl website_blank hdr(host) -i staging.mydomain.com
    acl app_api hdr(host) -i api.staging.mydomain.com
    acl app_my hdr(host) -i my.staging.mydomain.com
    acl legacy_manage hdr(host) -i manage.staging.mydomain.com

    use_backend mydomain.com if website_www
    use_backend mydomain.com if website_blank
    use_backend api.mydomain.com if app_api
    use_backend my.mydomain.com if app_my
    use_backend manage.mydomain.com if legacy_manage

    default_backend mydomain.com

frontend www-https
   bind *:443 ssl crt /etc/haproxy/newcert.pem
   reqadd X-Forwarded-Proto:\ https
   acl website_www hdr(host) -i www.staging.mydomain.com
   acl website_blank hdr(host) -i staging.mydomain.com
   acl app_api hdr(host) -i api.staging.mydomain.com
   acl app_my hdr(host) -i my.staging.mydomain.com
   acl legacy_manage hdr(host) -i manage.staging.mydomain.com

   acl block_trace_request method TRACE
   http-request deny if block_trace_request

   use_backend mydomain.com if website_www
   use_backend mydomain.com if website_blank
   use_backend api.mydomain.com if app_api
   use_backend my.mydomain.com if app_my
   use_backend manage.mydomain.com if legacy_manage

   default_backend mydomain.com

#---------------------------------------------------------------------
# BackEnds
#---------------------------------------------------------------------

backend mydomain.com
    http-response set-header X-Frame-Options: DENY
    http-response set-header X-XSS-Protection: 1;mode=block
    http-response set-header X-Content-Type-Options: nosniff
    http-response set-header Referrer-Policy no-referrer-when-downgrade

    http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
    redirect scheme https if !{ ssl_fc }
    option httpchk HEAD / HTTP/1.1\r\nHost:\ localhost
    server brochure.staging.mydomain 10.10.11.14:80 check

# Backends api.mydomain.com, my.mydomain.com and manage.mydomain.com are identical to this one, save for the server hostname, IP and httpchk URL.

Thanks for your help! I’ve been trying to read through the release notes for all the versions but it’s very slow going.

1 post - 1 participant

Read full topic