Configuration ssl -1/-1/-1/-1/0 503 212 - - SC--

Hi All,
We have HAproxy running perfectly until there is a need to add 2 services that use SSL, calling web1 and web2. We have installed a wild-child SSL certificate in te server.

This is an example of our configs:

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
nbproc 12
cpu-map 1 1
cpu-map 2 2
cpu-map 3 3
cpu-map 4 4
cpu-map 5 5
cpu-map 6 6
cpu-map 7 7
cpu-map 8 8
cpu-map 9 9
cpu-map 10 10
cpu-map 11 11
cpu-map 12 12
stats bind-process 12

    maxconn 500
    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
     ssl-default-bind-ciphers ECDHE-RSA-AES256-GCM -HA384:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
     tune.ssl.default-dh-param 4096
     ssl-default-bind-options  no-sslv3 no-tlsv10 no-tlsv11

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend frontweb
maxconn 800
option http_proxy
bind *:443 ssl crt /etc/ssl/web.abc.com

acl web1 hdr(host) -i abc1.abc.com
use_backend web1b if web1

acl web2 hdr(host) -i abc2.abc.com
use_backend web2b if web2

      option          forwardfor
      default_backend   www

backend www
mode http
server ipx x.x.x.x:80 check maxconn 500

backend web1b
mode http
server ipx1 y.y.y.y.y:80 check maxconn 500
backend web2b
mode http
server ipx2 z.z.z.z:80 check maxconn 500

After making some tests we are in this situation :

• abc2.abc.com is routed into the backend www
  -If we remove the default_bakcend the abc2.abc.com can not be served and we have this errors :
  -1/-1/-1/-1/0 503 212 - - SC–
  In all the tests above we confirmed that abc1.abc.com is served ok in both situations.

Can everyone help us please to dig more in order we can solve this situation?
Thanks in advance

1 post - 1 participant

Read full topic