Is 'ssl verify none' work for self-signed certificate in tcp mode helthcheck?

@Akihiro wrote:

I want to configure HAProxy as a tcp pass-through with ssl proxy, but some settings don’t work.

I think ‘ssl verify none’ option at listen directive is work when backend server uses self-signed certificate.
But with ‘ssl verify none’ option with mode tcp, I cannot access backend server with https protocol.
Is it correct behavier?

• This config is not work as https frontend, only http access

global
  chroot /var/lib/haproxy
  user haproxy
  group haproxy
  log 127.0.0.1 local2
  pidfile /var/run/haproxy.pid
  maxconn 40000
  daemon
  stats socket /var/lib/haproxy/stats level admin

defaults
  mode tcp
  log global
  option tcplog
  option dontlognull
  option redispatch
  retries 3
  timeout http-request 10s
  timeout queue 1m
  timeout connect 10s
  timeout client 1m
  timeout server 1m
  timeout http-keep-alive 10s
  timeout check 10s
  maxconn 10000

listen https_web
  mode tcp
  bind *:8443
  balance roundrobin
  option log-health-checks
  reqadd X-Forwarded-Proto:\ http
  server sv1 sv1:8443 maxconn 512 check check-ssl inter 60s ssl verify none
  server sv2 sv2:8443 maxconn 512 backup check check-ssl inter 60s ssl verify none
  server sv3 sv3:8443 maxconn 512 backup check check-ssl inter 60s ssl verify none
  option httpchk GET /health
  http-check expect status 200

• This config is work as https frontend

global
  chroot /var/lib/haproxy
  user haproxy
  group haproxy
  log 127.0.0.1 local2
  pidfile /var/run/haproxy.pid
  maxconn 40000
  daemon
  ssl-server-verify none
  stats socket /var/lib/haproxy/stats level admin

defaults
  mode tcp
  log global
  option tcplog
  option dontlognull
  option redispatch
  retries 3
  timeout http-request 10s
  timeout queue 1m
  timeout connect 10s
  timeout client 1m
  timeout server 1m
  timeout http-keep-alive 10s
  timeout check 10s
  maxconn 10000

listen https_web
  mode tcp
  bind *:8443
  balance roundrobin
  option log-health-checks
  reqadd X-Forwarded-Proto:\ http
  server sv1 sv1:8443 maxconn 512 check check-ssl inter 60s
  server sv2 sv2:8443 maxconn 512 backup check check-ssl inter 60s
  server sv3 sv3:8443 maxconn 512 backup check check-ssl inter 60s
  option httpchk GET /health
  http-check expect status 200

My haproxy build information is below.

HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Posts: 2

Participants: 2

Read full topic