0

I have a load balanced infrastructure in which there is a haproxy server as the load balancer and some apache servers as backends. I want to forward https traffic to backends. I know there are two types of doing this: SSL Termination which handles the SSL encryption/decryption at the haproxy server and, SSL Pass-Through which forwards https traffic to backend server. here's my configuration for haproxy:

global
    log         127.0.0.1 local2     #Log configuration
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy             
    group       haproxy
    daemon
    stats socket /var/lib/haproxy/stats
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000
frontend http_main
    bind *:80
    mode http
    option http-server-close
    option forwardfor
    default_backend app-main
backend app-main
    balance roundrobin
    server web1 192.168.1.25:80

frontend https_main
    bind *:443
    mode tcp
    option tcplog
    default_backend app-ssl

backend app-ssl
    balance roundrobin                                    
    mode tcp
    option ssl-hello-chk
    server web1 192.168.1.25:443 ssl no-sslv3

My backend server also has a public IP address. When I check my domain with the public IP of the backend server, I can see the website correctly with a validated SSL on the browser. But when I want to check the domain with the IP address of the load balancer I get the following error on firefox:

An error occurred during a connection to mydomain.com. SSL received a record that exceeded the maximum permissible length. Error code: SSL_ERROR_RX_RECORD_TOO_LONG

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the web site owners to inform them of this problem.

I have added the local ip address 192.168.1.25 to httpd.conf of the backend server for both http and https virtual host configurations. I think the problem is with checking the SSL certificate from the backend server. But I have no idea how to resolve this.
Any help is appreciated.

Sinai
  • 203
  • 1
  • 3
  • 17
  • `server ... ssl` is incorrect on a backend where the backend server is terminating the client's SSL. That's telling HAProxy to negotiate SSL with the backend, and present the unencrypted payload to the frontend. – Michael - sqlbot Jun 17 '17 at 23:26
  • @Michael-sqlbot, thank you for the reply. But may you please explain more and if possible may you please provide me with some configurations? You mean my HAProxy configuration is correct and there is something wrong with my backend server? How should I fix that? When I connect to the backend with Public IP address everything works fine. The problem is with its local IP I think. – Sinai Jun 18 '17 at 04:18
  • Ah, you mean there is something wrong with server web1 192.168.1.25:443 ssl no-sslv3, am I right? I removed ssl no-sslv3 but nothing's changed! May you please tell me the correct configurations? – Sinai Jun 18 '17 at 04:30
  • Correct. If the frontend `bind` doesn't use `ssl` *and* you're using `mode tcp`, *and* the client speaks SSL, then `ssl` on the server config line is a nonsensical configuration. – Michael - sqlbot Jun 18 '17 at 06:14
  • @Michael-sqlbot, What do you mean of "If the frontend bind doesn't use ssl and you're using mode tcp, and the client speaks SSL"?? The requests are for port 443 when using https in front of a URL!! Honestly I could not understand what should I do to make ssl workable on haproxy! As I said I removed ssl on the server config line, but nothing's changed!! May you please provide me with a configuration or help me to put through me in the right way? – Sinai Jun 18 '17 at 06:51

0 Answers0