Unable to configure haproxy with ssl

Question

I want to make my server ssl protected, it has two parts one for website and another for application.

to balance them we have used haproxy. Now we want to secure this haproxy. I have installed the certificates and key files

While configuring haproxy.cfg as follow :

frontend https
bind    *:443 ssl crt /etc/ssl/ssl.key/myserver.key /etc/ssl/certs/www_appointpress_com.ca-bundle /etc/ssl/certs/somefile.crt
acl hari path_beg /customers
acl css path_beg /assets
reqadd X-Forwarded-Proto:\ https
default_backend appointpress_site

while restarting haproxy I am getting error like :

bind only supports transparent ...... options.

How can I resolve this error

SSL support in HAProxy is very new. The Stable 1.4 series doesn't have it, but the development 1.5 does. Are you using 1.5? — sysadmin1138, Jul 17 '13 at 11:37
yep I had 1.4.19 installed now I want to upgrade then how can I — lord_linus, Jul 17 '13 at 11:54
Hey I have updated my haproxy with 1.5 but getting the same error — lord_linus, Jul 18 '13 at 07:10
Did you compile it yourself? I'm wondering if https support is added by default or not — hookenz, Nov 29 '13 at 03:34
If you're using Debian-based (debian, ubuntu) or RedHat-based (rhel, centos) distros, you can use haproxy package repository from https://haproxy.debian.net/ resp. https://www.rpmfind.net/linux/rpm2html/search.php?query=haproxy — Ondra Sniper Flidr, Oct 12 '16 at 07:36

score 0 · Answer 1 · answered Nov 29 '13 at 03:16

Try this , in at least this version (own built)

root@server5:~# haproxy -vv

HA-Proxy version 1.5-dev17 2012/12/28
Copyright 2000-2012 Willy Tarreau <w@1wt.eu>

Build options :
  TARGET  = linux2628
  CPU     = native
  CC      = gcc
  CFLAGS  = -O2 -march=native -g -fno-strict-aliasing
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 USE_STATIC_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3.4
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Then try a configuration of this kind in haproxy

listen ssl_relay 192.168.128.101:443
    # this only works with 1.5 haproxy, it accepts multiple SSL en sends it 
    # off to the correct backend which does the SSL termination.
    mode tcp
    balance roundrobin
    option tcplog
    option socket-stats
    # option ssl-hello-chk  -> This is not be needed anymore, in fact, 
    # it needs to be off

    # maximum SSL session ID length is 32 bytes.
    stick-table type binary len 32 size 30k expire 30m

    # make sure we cover type 1 (fallback), although chances are it will
    # not route correctly, it will terminate on ssl
    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2

    # use tcp content accepts to detects ssl client and server hello.
    tcp-request inspect-delay 5s
    tcp-request content accept if clienthello

    # no timeout on response inspect delay by default.
    tcp-response content accept if serverhello

    # SSL session ID (SSLID) may be present on a client or server hello.
    # Its length is coded on 1 byte at offset 43 and its value starts
    # at offset 44.

    # Match and learn on request if client hello.
    stick on payload_lv(43,1) if clienthello

    # Learn on response if server hello.
    stick store-response payload_lv(43,1) if serverhello

    # intercept incoming TLS requests based on the SNI field
    use-server xtp2_83 if { req_ssl_sni -i proudsslsite.com }
    use-server xtp2_83 if { req_ssl_sni -i www.proudsslsite.com }

    use-server xtp2_84 if { req_ssl_sni -i myothersecuremasterpiece.net }
    use-server xtp2_84 if { req_ssl_sni -i www.myothersecuremasterpiece.net } 

    server xtp2_83 192.168.128.1:483 weight 0
    server xtp2_84 192.168.128.2:484 weight 0

    # all the rest is forwarded to this server
    server xtp_default 192.168.128.3:443 check inter 10000 rise 2 fall 2

You just need to terminate the SSL on your webservers inside. So encrypt traffic all the way. This works for me.

While the supplied config might be helpful to the OP. your not answering the question or educating him. whats the cause of the OPs error and how does your config fix it? — Nath, Dec 06 '15 at 13:34
It's been 2 years. I'm sure he's either given up or succeeded. Your comment doesn't really add value towards a solution. His problem is he's using a version that is 1.4 (since he's not giving me the needed information before me typing my answer, it's was hard to determine what causes this at the time). Hence me mentioning that it works with 1.5. I expect him to at least know how to figure this out using this information. You should re-read all comments and see that I'm adding the needed information in order to compile haproxy himself. — Glenn Plas, Dec 06 '15 at 19:44

score -4 · Answer 2 · answered Nov 02 '15 at 13:44

-4

I know that doesn't answer really to your question but you could try to replace HAproxy by Pound which is pretty easy to configure over HTTPS and it will do the same as HAproxy in your case.

answered Nov 02 '15 at 13:44

lazzio

306
1
2
11

Unable to configure haproxy with ssl

2 Answers2

Linked