HAProxy not passing SSL traffic in TCP mode (unknown protocol)

Question

I've got a HAProxy LB solution setup and working correctly. All HTTP traffic on port 80 is being passed through succesfully.

I'm now trying to get SSL traffic to work (in TCP mode and on just one server for now) however I keep getting the following error when testing via openssl:

26396:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:588:

However, when I try the same test (openssl s_client -connect) on the web servers IP address and hostname, everything seems to look OK. I can setup a hosts record locally and confirm that the browsers are picking up the SSL certificate succesfully for the domain.

I guess this has led me to the conclusion that there is a problem at the HAProxy setup I have, so would really appreciate some advice here.

frontend https-c-in
    bind 178.79.xxx.xxx:443
    mode tcp
    default_backend c-https

backend c-https
    balance source
    option ssl-hello-chk
    option httpclose
    server  c-web-01 192.168.xxx.xxx:443 check inter 2000 rise 2 fall 5

I *suspect* that `option httpclose` is incompatible with `mode tcp` and SSL in general. — DerfK, Feb 16 '11 at 23:22
Thanks DerfK, i've tried it with and without and it makes no difference? — outeredge, Feb 17 '11 at 09:24

score 23 · Accepted Answer · answered Feb 17 '11 at 10:09

23

I've solved it!

You must have 'mode tcp' in both the frontend and backend ugh

frontend https-c-in
   bind 178.79.xxx.xxx:443
   mode tcp
   default_backend c-https

backend c-https
   balance source
   mode tcp
   option ssl-hello-chk
   server  c-web-01 192.168.xxx.xxx:443 check inter 2000 rise 2 fall 5

answered Feb 17 '11 at 10:09

outeredge

391
1
2
7

6

"mode tcp" is the default. If you need to specify it in both sections, then this means you have a "defaults" section above which sets "mode http" and possibly other settings. I strongly suggest that you don't put some TCP sections after such a defaults section. Better define a new defaults section for TCP settings in order to reset those dedicated to HTTP. – Willy Tarreau Feb 18 '11 at 06:20
1

Thanks Willy, how would you define more than one defaults section? – outeredge Feb 18 '11 at 10:42
2

A new block starting with 'defaults' will start a new default section allowing you to override the previous one. This is handy when you are load balancing multiple HTTP, HTTPS and FTP through the same haproxy setup. I'm in the habit of putting a big 3 line comment to make it very obvious what it is and give it a name. – flickerfly Jul 16 '15 at 19:23
1

@outeredge, good job! you're a life saver! – Artanis Zeratul Aug 16 '19 at 00:59

HAProxy not passing SSL traffic in TCP mode (unknown protocol)

1 Answers1

Linked