How does a double layer of reverse proxy pass through invalid SSL cert?

Question

I have the following server setup:

                 +----------+        +-----------+
                 |          |        |           |
internet ----->  |   Kong   | -----> |  HAProxy  | -----> backend servers
                 |          |        |           |
                 +----------+        +-----------+

• Kong is set port 443 binding with a valid SSL cert
• HAProxy is set up with port 443 binding and a redirect from port 80 to 443

Now I just found that the SSL cert installed in the HAProxy expired. However, it's not visible through the internet because they access through Kong and Kong has a valid SSL cert. Accessing the HAProxy directly gives a SSL certificate problem: certificate has expired error. What is the explanation for this? How does the first layer of reverse proxy's SSL cert suppress the error on the second layer?

Answer 1

How does the first layer of reverse proxy's SSL cert suppress the error on the second layer?

The clients create a SSL connection to Kong and will only check the certificate from Kong. Kong creates an independent SSL connection to HAProxy and should check the certificate from HAProxy. Then only the application payload gets passed through between client and server via Kong and HAProxy, but not any SSL related information.

How does the first layer of reverse proxy's SSL cert suppress the error on the second layer?

It does not suppress anything. There is no mechanism to pass thru SSL errors at the application level. Proper validation of the certificate from HAProxy by Kong should lead to a connection close, i.e. not forwarding any of the application data between client and server. But if the certificate is not properly validated by Kong then certificate errors will not be noticed and the application data will be forwarded between client and server. The client will not notice anything since it sees only the certificate by Kong.