Haproxy with SSL offloading error



  • Trying to have a SSL based web site be accesble via HAProxy.  The issue I'm having is I create a offloading profile based on HAProxy example and when I try to access the web site I keep getting the following error:

    SSL peer was unable to negotiate an acceptable set of security parameters. Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT

    I'm using a let's encrypt certificate.  Does it make a difference if the back end uses HTTP or HTTPS?

    Any Help would be appreciated.

    Thanks

    cjb



  • Can you post the haproxy.cfg from the bottom of settings tab?
    And what frontend are you trying to connect to (if you have multiple)? With what domain or other options if applicable?



  • Here is are the sections of the config file relating to the backend called SecureNAS4 and web site famille.accra.ca

    Thanks for the help

    cjb


    Automaticaly generated, dont edit manually.

    Generated on: 2017-08-21 15:25

    global
    maxconn 10000
    log /var/run/log local0 alert
    stats socket /tmp/haproxy.socket level admin
    uid 80
    gid 80
    nbproc 1
    chroot /tmp/haproxy_chroot
    daemon
    tune.ssl.default-dh-param 4096
    log-send-hostname HaproxyMasterNode
    server-state-file /tmp/haproxy_server_state
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM

    listen HAProxyLocalStats
    bind 127.0.0.1:2200 name localstats
    mode http
    stats enable
    stats refresh 10
    stats admin if TRUE
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

    frontend Secure-offloading-3
    bind 127.0.0.1:1443 name 127.0.0.1:1443 ssl  crt /var/etc/haproxy/Secure-offloading-3.pem crt /var/etc/haproxy/Secure-offloading-3 ca-file /var/etc/haproxy/clientca_Secure-offloading-3.pem verify required 
    bind /tmp/haproxy_chroot/Secure-offloading-3.socket name unixsocket uid 80 accept-proxy ssl  crt /var/etc/haproxy/Secure-offloading-3.pem crt /var/etc/haproxy/Secure-offloading-3 ca-file /var/etc/haproxy/clientca_Secure-offloading-3.pem verify required
    mode http
    log global
    option http-keep-alive
    timeout client 30000
    acl filoptoreg hdr(host) -i reg.filopto.com
    acl remotehelp hdr(host) -i remotehelp.accra.ca
    acl familleNas hdr(host) -i famille.accra.ca
    acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^accra.ca(:([0-9]){1,5})?$
    acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^famille.accra.ca(:([0-9]){1,5})?$
    acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^ftpweb.accra.ca(:([0-9]){1,5})?$
    acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^remotehelp.accra.ca(:([0-9]){1,5})?$
    acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^secure.accra.ca(:([0-9]){1,5})?$
    acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^filopto.com(:([0-9]){1,5})?$
    acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^reg.filopto.com(:([0-9]){1,5})?$
    acl aclcrt_Secure-offloading-3 hdr_reg(host) -i ^www.filopto.com(:([0-9]){1,5})?$
    use_backend WebServer214_http_ipvANY  if  filoptoreg aclcrt_Secure-offloading-3
    use_backend RemoteHelp25_http_ipvANY  if  remotehelp aclcrt_Secure-offloading-3
    use_backend SecureNAS4_http_ipvANY  if  familleNas aclcrt_Secure-offloading-3
    use_backend WEBServer14_http_ipvANY  if  aclcrt_Secure-offloading-3

    backend SecureNAS4_http_ipvANY
    mode http
    log global

    use mailers

    level  alert

    timeout connect 30000
    timeout server 30000
    retries 3
    server SecureNas4 192.168.20.4:6245 check inter 1000



  • Seeing you have "ca-file ..3.pem verify required" it looks like you require client certificates to be used / loaded in the browser. Is this something you indeed intend to require, and have created and loaded appropriate client certificates for?



  • Thanks,  will try it without that setting and see if it works.

    cjb



  • Thanks that worked.

    cjb