0

I am setting up HAproxy LB in AWS environment as I am unable to use ELB. This is the requirement which forced me to go for HAproxy route: There are multiple websites that will run on one server. The websites needs to run over https. The site code requires https connection to reach it. It redirects if http code reaches it. So I have to bind each website to a unique IP and have SSL termination there.

This is what I am doing right now:

2 subnets:

HAproxy subnet is public and Webserver subnet is private

All traffic from the webserver is being routed to the instance running HAproxy. For testing, I have just added one site to HAproxy. I am terminating the connection at HAproxy first, de-crypting it, reading the host value and then based on that redirecting it to the IP with which that website has been mapped on the webserver over https. This is the existing config:

frontend https_traffic
        bind            10.100.210.229:443 ssl crt /ssl/converted.pem
        log             global
        option          tcplog
        option          dontlognull
        timeout client  30s
        use_backend     secure_traffic1 if { hdr(host) -i work.xyzsite.net }


backend secure_traffic1
        balance roundrobin
        retries         2
        stick-table type binary len 32 size 30k expire 30m
        stick on ssl_fc_session_id
        timeout connect 5s
        timeout server  5s
        option ssl-hello-chk
        server          web1 10.100.10.16:443 ssl verify none

When I open the URL, most of the times I get "ERR_EMPTY_RESPONSE" in my browser, and the other times the site loads properly. I set haproxy log level to debug but don't see any errors in the logs.

Please help.

Aseem
  • 79
  • 1
  • 3
  • 14
  • I remove the dontlognull option and can see "Connection closed during SSL handshake" entries in the log now. Not sure if there is anything wrong with the web server (IIS), although nothing looks wrong. – Aseem Dec 11 '17 at 19:02

1 Answers1

0

I would suggest to start with validating your certificates. Can you curl each website to validate the certs are working as expected?

Here is an example to run:

`curl --url 'https://yoursite.com/index.php' -v --cacert ./ca.pem`

The output will verify the connections and certificate(s) in play.

Steven K7FAQ
  • 277
  • 2
  • 3
  • 13
  • I tried what you suggested from HAproxy. I had the certificate in pfx format and I used openssl to extract the details. When done from haproxy instance I get this error "NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)". If I run curl with -k option, then it works. * Server certificate: * subject: CN=*.xyzsite.net,OU=PositiveSSL Wildcard,OU=Domain Control Validated * common name: *.xyzsite.net * issuer: CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB < HTTP/1.1 200 OK – Aseem Dec 12 '17 at 14:34
  • curl -k (lower case k) disregards your certificates. You are having problems with the certificates. Please try extracting your key and certificate from the pfx file. Load your server up with just those. Can you https to your web page? Once you have that then add in your Intermediate Chains. You are struggling with configuration issues on your certificates. – Steven K7FAQ Dec 12 '17 at 15:10
  • Thanks Steven. When I extract the data from the pfx file, I am unable to get chain details. I am searching on the internet on ways to extract chain info as well. If you know a method, please do help. – Aseem Dec 12 '17 at 16:36
  • @Aseem IF the chain file was included when the pfx was created you can try `openssl pkcs12 -in my.pfx -cacerts -out my-ca.crt -passin pass:'password' -passout pass:'password'` Please note that we use passwords on all of our pfx files. You may not. Also please verify the encryption method used. We used pkcws12. IF the chain files was not included you can go to your SSL provider and download their intermediate chain file. You can also create this file with other ssl keys depending on your application. Please note that not all websites need/use Intermediate chain files. – Steven K7FAQ Dec 12 '17 at 17:26
  • I was able to get the chain data extracted using a very convoluted method and now from haproxy I am able to successfully curl to the backend website. But from browser it still does not work. I tried curl from my desktop using the same .pem file and got curl: (52) Empty reply from server In HAproxy logs: Timeout during SSL handshake I am re-encrypting the traffic, and using the same cert on backend webserver, and also on HAproxy. Not sure if that could be a matter here. – Aseem Dec 12 '17 at 17:42
  • There is allot more to HaProxy than what you have provided by your example config. I am not familiar with some of the flags and manners you have used. Sorry I am not able to give you a definitive answer. We do not incorporate the SSL within HaProxy itself, we usually pass all traffic to the webserver which handles the SSL. – Steven K7FAQ Dec 12 '17 at 17:57