SSL Protocol Errors when not offloading

Hello, I’m trying to eventually set up something similar to this, where a single frontend should only ask for client certs conditionally. However, I got a bunch of errors and it seems I’m getting errors with even more basic setups.

Here’s a minimal setup that produces the error for me:

OPNSense HAProxy plugin running on a home box

#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    1
    hard-stop-after             60s
    no strict-limits
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats

# More frontends omitted for brevity

# Frontend: test_in ()
frontend test_in
    bind 0.0.0.0:443 name 0.0.0.0:443 
    mode tcp
    default_backend homeassistant
    # tuning options
    timeout client 30s

    # logging options
    option log-separate-errors
    option tcplog

# More backends omitted for brevity

# Backend: homeassistant ()
backend homeassistant
    option log-health-checks
    # health check: check homeassistant
    option httpchk
    http-check send meth GET uri / ver HTTP/1.0
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m  
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server homeassistant 192.168.1.123:8123 check inter 2s check-ssl  verify none

Chrome gives me ERR_SSL_PROTOCOL_ERROR and Postman gives me Error: write EPROTO 82462216:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../../third_party/boringssl/src/ssl/tls_record.cc:242: when visiting my site.

I have also tried combinations of https offloading on the frontend, and marking the backend as SSL. Only the combination of both allows me to access the homeassistant instance properly.

https offloading but no ssl on backend gives me a 502. ssl on backend but ssl passthrough on frontend (as shown above) gives me the same SSL proto error.

Here’s the relevant portions with the aforementioned options both enabled:

frontend test_in
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl  crt-list /tmp/haproxy/ssl/62a6bbcf47f3b0.59102928.certlist 
    # rest same

backend homeassistant
    # rest same
    server homeassistant 192.168.1.123:8123 check inter 2s check-ssl  ssl alpn h2,http/1.1 verify none verify none

I can get it working with offloading, but I’m assuming getting the SSL passthrough working is necessary for the loopback unix node setup since you mentioned that the “first three sections need to be tcp mode” when referring to the main frontend and loopback backends in the linked thread.

1 post - 1 participant

Read full topic