SSL_ERROR_RX_RECORD_TOO_LONG

kevdog

Really new to setting up HAproxy and definitely going through some growing pains here.

I’m accessing my website directly. I’m using pfsense 2.4.4 with haproxy (version 1.8.23) plugin.
I have valid Let’s Encrypt Certificates installed with pfsense for my domain.

I’m trying to use HAProxy simply as a reverse proxy with SSL termination for backend apache web server (only running on port 80).

I’m receiving errors when trying to access the site directly my IP address:
Firefox: An error occurred during a connection to 69.xxx.xxx.xxx. SSL received a record that exceeded the maximum permissible length.

Error code: SSL_ERROR_RX_RECORD_TOO_LONG
Chrome: ERR_SSL_PROTOCOL_ERROR

Here is my HAproxy config file:

# Automaticaly generated, dont edit manually.
# Generated on: 2020-01-21 10:32
global
	maxconn			1000
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	log-send-hostname		url.com-HA
	server-state-file /tmp/haproxy_server_state
	ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
	ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

	ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
	ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend shared-frontend-WAN-and-LAN-merged
	bind			69.xxx.xxx.xxx:443 name 69.xxx.xxx.xxx:443   ssl crt-list /var/etc/haproxy/shared-frontend-WAN-and-LAN.crt_list
	bind			10.0.1.1:443 name 10.0.1.1:443   ssl crt-list /var/etc/haproxy/shared-frontend-WAN-and-LAN.crt_list
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	acl			ACL1	var(txn.txnhost) -m str -i url.com
	acl			ACL2	var(txn.txnhost) -m str -i www.url.com
	http-request set-var(txn.txnhost) hdr(host)
	use_backend url.com_ipv4  if  ACL1
	use_backend url.com_ipv4  if  ACL2

frontend http-to-https
	bind			69.xxx.xxx.xxx:80 name 69.xxx.xxx.xxx:80
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	redirect scheme https code 301 if !{ ssl_fc }

backend url.com_ipv4
	mode			http
	id			10102
	log			global
	option			log-health-checks
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS /
	server			url.com 10.0.1.158:80 id 10103 check inter 100

I generated the ssl-default-bind-ciphers/options, ssl-default-server-ciphers/options using the Mozilla SSL generator: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.1&config=intermediate

There is no listening 443 service on the backend as HAproxy should be doing the SSL Offloading.

Thanks for any advice.

PiBa

@kevdog
Config seems to look fine.. The haproxy stats page does count your connection/request? And shows the server as 'up'? Testing from 'outside' ? Perhaps disable the transparent-client-ip feature until stuff starts working, then try enabling that again.?