Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy - Reverse proxy ssl error after config reload

    Scheduled Pinned Locked Moved Cache/Proxy
    6 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vshaulsk
      last edited by

      Good Day!

      I have had a working pf-sense firewall for a few years, with no issues.

      • I started having trouble with the hard drives (some old 5400 RPM laptop drives)
        so, Last weekend, I backed up my configuration.
        Installed some 10K RPM drives and reinstalled pf-sense.
        Reloaded the configuration and everything came back to life, except the HAProxy
      • Till this point the HAProxy was working great as a reverse proxy for several back-ends ....

      All other modules work and the configured as before. Even the HAProxy settings are exactly as they were before the reinstall.

      The HAProxy application is on, but I get an SSL ERROR when trying to connect.

      • Secure connection can not be established- ERR_SSL_Protocol_ERROR-

      So far nothing I have done has resolved the error.

      • different ssl certificate
        -uninstall & reinstall HAProxy
      • tried to reload config

      I can't seem to find a solution. Looking at the config file, everything looks correct......

      Any suggestions as to what maybe causing the problem?

      Also when I remove and reinstall the HAProxy module the configuration is not erased ..... How do I remove the configuration, so that I can rebuild from scratch or just manually reload the saved configuration.

      Thank you for the help!!

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @vshaulsk
        last edited by PiBa

        @vshaulsk
        As part of the re-installation you also got a new haproxy package version.. Please check your using the latest version at this moment.. last weeks version had few (more) issues.. that the current one..

        Also double-check your backend server settings, there are now 2 ssl checkboxes.. one for encrypting the healthcheck, one for the actual traffic.. but if your using ssl/https mode with sni, you might not want to encrypt the traffic again in the backend.

        If this dont help, can you post your haproxy.cfg from bottom of settings tab?

        V 1 Reply Last reply Reply Quote 0
        • V
          vshaulsk @PiBa
          last edited by

          @piba

          Non of the the backends use SSL .... only the front end

          Here is my config:

          Automaticaly generated, dont edit manually.

          Generated on: 2018-08-03 10:16

          global
          maxconn 1000
          stats socket /tmp/haproxy.socket level admin
          uid 80
          gid 80
          nbproc 1
          hard-stop-after 15m
          chroot /tmp/haproxy_chroot
          daemon
          tune.ssl.default-dh-param 2048
          server-state-file /tmp/haproxy_server_state
          # Modern browser compatibility only as mentioned here:
          # https://wiki.mozilla.org/Security/Server_Side_TLS
          ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
          tune.ssl.default-dh-param 2048

          # Time-to-first-Byte (TTFB) value needs to be optimized based on
# the actual public certificate chain see
# https://www.igvita.com/2013/10/24
# /optimizing-tls-record-size-and-buffering-latency/
tune.ssl.maxrecord 1370

          listen HAProxyLocalStats
          bind 127.0.0.1:2200 name localstats
          mode http
          stats enable
          stats admin if TRUE
          stats show-legends
          stats uri /haproxy/haproxy_stats.php?haproxystats=1
          timeout client 5000
          timeout connect 5000
          timeout server 5000

          frontend wanhttp
          bind 134.228.159.239:80 name 134.228.159.239:80
          mode http
          log global
          option http-keep-alive
          option forwardfor
          acl https ssl_fc
          http-request set-header X-Forwarded-Proto http if !https
          http-request set-header X-Forwarded-Proto https if https
          timeout client 30000
          default_backend sslredirect_ipvANY

          frontend wanhttps-merged
          bind 127.0.0.1:2043 name 127.0.0.1:2043 no-sslv3 ssl crt /var/etc/haproxy/wanhttps.pem crt /var/etc/haproxy/wanhttps crt-list /var/etc/haproxy/wanhttps.crt_list accept-proxy npn http/1.1
          mode http
          log global
          option http-keep-alive
          option forwardfor
          acl https ssl_fc
          http-request set-header X-Forwarded-Proto http if !https
          http-request set-header X-Forwarded-Proto https if https
          timeout client 7200000
          # Remove headers that expose security-sensitive information.
          rspidel ^Server:.$
          rspidel ^X-Powered-By:.          $
          rspidel ^X-AspNet-Version:.*$

          # add some security related headers
rspadd Content-Security-Policy:\ default-src\ https:\ data:\ \‘unsafe-inline\\’\ \\'unsafe-eval\'
rspadd X-Frame-Options:\ SAMEORIGIN
rspadd X-Content-Type-Options:\ nosniff
rspadd X-Xss-Protection:\ 1;\ mode=block
acl			aclcrt_wanhttps	var(txn.txnhost) -m reg -i ^shaulskiy\.com(:([0-9]){1,5})?$
acl			shaulskiy.com	var(txn.txnhost) -m str -i shaulskiy.com
acl			www.shaulskiy.com	var(txn.txnhost) -m str -i www.shaulskiy.com
acl			vmusic	var(txn.txnhost) -m str -i vmusic.shaulskiy.com
acl			plexrequests	var(txn.txnhost) -m str -i plex-requests.shaulskiy.com
acl			email	var(txn.txnhost) -m str -i mail.shaulskiy.com
http-request set-var(txn.txnhost) hdr(host)
use_backend shaulskiy_ipvANY  if  shaulskiy.com 
use_backend shaulskiy_ipvANY  if  www.shaulskiy.com 
use_backend vmusic_ipvANY  if  vmusic 
use_backend plexrequests_ipvANY  if  plexrequests 
use_backend email_ipvANY  if  email 
use_backend none_ipvANY  if   aclcrt_wanhttps
default_backend none_ipvANY
default_backend none_ipvANY
default_backend none_ipvANY
default_backend none_ipvANY

          frontend wanexternal-merged
          bind 134.228.159.239:443 name 134.228.159.239:443
          mode tcp
          log global
          timeout client 7200000
          tcp-request inspect-delay 5s
          tcp-request content accept if { req.ssl_hello_type 1 } or !{ req.ssl_hello_type 1 }
          acl acl req.ssl_hello_type 1
          default_backend none_ssl_ipvANY
          default_backend wanhttps_ipvANY

          backend sslredirect_ipvANY
          mode http
          id 107
          log global
          http-response set-header Strict-Transport-Security max-age=31536000;
          rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
          timeout connect 30000
          timeout server 30000
          retries 3
          redirect scheme https code 301

          backend none_ipvANY
          mode http
          id 104
          log global
          http-response set-header Strict-Transport-Security max-age=31536000;
          rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
          timeout connect 30000
          timeout server 30000
          retries 3
          server none 127.0.0.1:80 id 100 disabled

          backend shaulskiy_ipvANY
          mode http
          id 111
          log global
          http-response set-header Strict-Transport-Security max-age=31536000;
          rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
          timeout connect 30000
          timeout server 30000
          retries 3
          option httpchk OPTIONS /
          server shaulskiy 192.168.100.50:80 id 112 check inter 1000

          backend vmusic_ipvANY
          mode http
          id 102
          log global
          http-response set-header Strict-Transport-Security max-age=31536000;
          rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
          timeout connect 30000
          timeout server 30000
          retries 3
          option httpchk OPTIONS /
          server vmusic 192.168.1.31:4040 id 103 check inter 1000

          backend plexrequests_ipvANY
          mode http
          id 113
          log global
          http-response set-header Strict-Transport-Security max-age=31536000;
          rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
          timeout connect 30000
          timeout server 30000
          retries 3
          option httpchk OPTIONS /
          server plexrequests 192.168.1.31:3579 id 114 check inter 1000

          backend email_ipvANY
          mode http
          id 115
          log global
          http-response set-header Strict-Transport-Security max-age=31536000;
          rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
          timeout connect 30000
          timeout server 30000
          retries 3
          option httpchk OPTIONS /
          server email 192.168.100.6:443 id 116 ssl check inter 1000 verify none

          backend none_ssl_ipvANY
          mode tcp
          id 105
          log global
          timeout connect 30000
          timeout server 30000
          retries 3
          server none 127.0.0.1:80 id 106 disabled

          backend wanhttps_ipvANY
          mode tcp
          id 109
          log global
          timeout connect 30000
          timeout server 7200000
          retries 3
          server wanhttps 127.0.0.1:2043 id 110 ssl verify none send-proxy

          P 2 Replies Last reply Reply Quote 0
          • P
            PiBa @vshaulsk
            last edited by

            @vshaulsk said in HAProxy - Reverse proxy ssl error after config reload:

            server wanhttps 127.0.0.1:2043 id 110 ssl verify none send-proxy

            Looks like that does have a SSL checkbox set.? Where perhaps it should not be.?
            If its on the 'encrypt ssl', change that to the 'ssl check' box perhaps?

            V 1 Reply Last reply Reply Quote 0
            • P
              PiBa @vshaulsk
              last edited by

              @vshaulsk
              Also this frontend has 2 defaults, but no way to determine which backend it should actually take..
              You will need to add acl's and use_backend actions there..

              frontend wanexternal-merged
	default_backend none_ssl_ipvANY
	default_backend wanhttps_ipvANY
              1 Reply Last reply Reply Quote 0
              • V
                vshaulsk @PiBa
                last edited by

                @piba

                You were correct, I had to change the SSL checkbox for the wanhttps

                Now everything is working and I am back to the SSL Labs A+ rating (if that is worth anything)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.