Updated to 0.55 HAproxy now Strange SSL error when Offloading

zwck

I had a working HAproxy Configuration, however after updating to 0.55 the SSL offloading Part of my config seems to be broken.

Were there some breaking changes that i have missed?

Here my config:

# Automaticaly generated, dont edit manually.
# Generated on: 2018-01-12 06:52
global
	maxconn			20000
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state
	tune.ssl.maxrecord 1370
	ssl-default-bind-options no-sslv3 no-tls-tickets
	ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend frontend1_http
	bind			192.168.0.15:80 name 192.168.0.15:80   
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	acl			acl-http	hdr_beg(host) -i test.example.io
	acl			acl-https	hdr_beg(host) -i chat
	acl			acl-https	hdr_beg(host) -i ombi
	acl			acl-https	hdr_beg(host) -i mb
	acl			acl-https	hdr_beg(host) -i rss
	acl			acl-https	hdr_beg(host) -i latex
	acl			acl-https	hdr_beg(host) -i blog
	acl			acl-https	hdr_beg(host) -i jd
	acl			acl-https	hdr_beg(host) -i home
	acl			acl-https	hdr_beg(host) -i fab
	acl			acl-https	hdr_beg(host) -i pf
	acl			acl-https	hdr_beg(host) -i hydra
	acl			acl-https	hdr_beg(host) -i b.example.io
	acl			acl-https	hdr_beg(host) -i ab.example.io
	acl			acl-https	hdr_beg(host) -i speed
	acl			acl-https	hdr_beg(host) -i plex
	http-request redirect scheme https  if  acl-https 
	use_backend backend-speedtest_http_ipvANY  if  acl-http 

frontend frontend2_sni
	bind			192.168.0.15:443 name 192.168.0.15:443   
	mode			tcp
	log			global
	timeout client		30000
	tcp-request inspect-delay	5s
	acl			cloud_sni	req.ssl_sni -m beg -i cloud
	tcp-request content accept if { req.ssl_hello_type 1 }

	use_backend backend_cloud_https_ipvANY  if  cloud_sni 
	default_backend backend_offloading_https_ipvANY

frontend frontend3_offloading
	bind			127.0.0.1:1443 name 127.0.0.1:1443  ssl  crt /var/etc/haproxy/frontend3_offloading.pem crt-list /var/etc/haproxy/frontend3_offloading.crt_list  
	bind /tmp/haproxy_chroot/frontend3_offloading.socket name unixsocket uid 80 accept-proxy   crt /var/etc/haproxy/frontend3_offloading.pem 
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	#
	#rspidel ^Server:.*$
	#rspidel ^X-Powered-By:.*$
	#rspidel ^X-AspNet-Version:.*$
	#http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
	#http-response set-header X-Frame-Options SAMEDOMAIN
	#http-response set-header X-Content-Type-Options nosniff	
	acl			chatACL	hdr_beg(host) -i chat
	acl			ombiACL	hdr_beg(host) -i ombi
	acl			latexACL	hdr_beg(host) -i latex
	acl			rssACL	hdr_beg(host) -i rss
	acl			mbACL	hdr_beg(host) -i mb
	acl			embyACL	hdr_beg(host) -i emby
	acl			plexACL	hdr_beg(host) -i plex
	acl			jdACL	hdr_beg(host) -i jd
	acl			homeACL	hdr_beg(host) -i home
	acl			fabACL	hdr_beg(host) -i fab
	acl			pfACL	hdr_beg(host) -i pf
	acl			hydraACL	hdr_beg(host) -i hydra
	acl			speedACL	hdr_beg(host) -i speed
	acl			audiobooksACL	hdr(host) -i ab.example.io
	acl			booksACL	hdr(host) -i b.example.io
	acl			aclcrt_frontend3_offloading	hdr_reg(host) -i ^([^\.]*)\.domain\.de(:([0-9]){1,5})?$
	acl			aclcrt_frontend3_offloading	hdr_reg(host) -i ^domain\.de(:([0-9]){1,5})?$
	use_backend backend-chat_http_ipv4  if  chatACL aclcrt_frontend3_offloading
	use_backend backend-ombi_http_ipv4  if  ombiACL aclcrt_frontend3_offloading
	use_backend backend-latex_http_ipv4  if  latexACL aclcrt_frontend3_offloading
	use_backend backend-rss_http_ipv4  if  rssACL aclcrt_frontend3_offloading
	use_backend backend-emby_http_ipv4  if  embyACL aclcrt_frontend3_offloading
	use_backend backend-jd_http_ipv4  if  jdACL aclcrt_frontend3_offloading
	use_backend backend-emby_http_ipv4  if  mbACL aclcrt_frontend3_offloading
	use_backend backend-home_http_ipv4  if  homeACL aclcrt_frontend3_offloading
	use_backend backend-fabian-blog_http_ipv4  if  fabACL aclcrt_frontend3_offloading
	use_backend backend-pf_http_ipv4  if  pfACL aclcrt_frontend3_offloading
	use_backend backend-hydra_http_ipv4  if  hydraACL aclcrt_frontend3_offloading
	use_backend backend-speedtest_http_ipv4  if  speedACL aclcrt_frontend3_offloading
	use_backend backend-audiobooks_http_ipv4  if  audiobooksACL aclcrt_frontend3_offloading
	use_backend backend-books_http_ipv4  if  booksACL aclcrt_frontend3_offloading
	use_backend backend-plex_http_ipv4  if  plexACL aclcrt_frontend3_offloading

backend backend-speedtest_http_ipvANY
	mode			http
	log			global
	rspadd Strict-Transport-Security:\ max-age=31536000;
	timeout connect		30000
	timeout server		30000
	retries			3
	server			speed 192.168.0.19:2020 check inter 1000  

backend backend_cloud_https_ipvANY
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			cloud 192.168.0.21:2443 check-ssl  verify none 

backend backend_offloading_https_ipvANY
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			backend-to-frontend /frontend3_offloading.socket send-proxy-v2-ssl-cn check inter 1000  

backend backend-chat_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			chat 192.168.0.21:3000 check inter 1000  

backend backend-ombi_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			ombi 192.168.0.19:3579 check inter 1000  

backend backend-latex_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			latex 192.168.0.21:5000 check inter 1000  

backend backend-rss_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			rss 192.168.0.21:2280 check inter 1000  

backend backend-emby_http_ipv4
	mode			http
	log			global
	rspadd Strict-Transport-Security:\ max-age=31536000;
	errorfile			503 /var/etc/haproxy/errorfile_backend-emby_http_ipv4_503_customerror
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	# add some security related headers
	# rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval'
	rspadd X-Frame-Options:\ SAMEORIGIN
	rspadd X-Content-Type-Options:\ nosniff
	rspadd X-Xss-Protection:\ 1;\ mode=block
	server			emby_iocage 192.168.0.100:8097 check inter 1000  

backend backend-jd_http_ipv4
	mode			http
	log			global
	rspadd Strict-Transport-Security:\ max-age=31536000;
	errorfile			503 /var/etc/haproxy/errorfile_backend-jd_http_ipv4_503_customerror
	timeout connect		30000
	timeout server		30000
	retries			3
	server			jd 192.168.0.21:2280 check inter 1000  

backend backend-home_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			homepi 192.168.0.191:8123 check inter 1000  

backend backend-fabian-blog_http_ipv4
	mode			http
	log			global
	rspadd Strict-Transport-Security:\ max-age=31536000;
	timeout connect		30000
	timeout server		30000
	retries			3
	server			chat 192.168.0.21:2370 check inter 1000  

backend backend-pf_http_ipv4
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			pf-rancherqnap 192.168.0.19:9001 check inter 1000  

backend backend-hydra_http_ipv4
	mode			http
	log			global
	rspadd Strict-Transport-Security:\ max-age=31536000;
	timeout connect		30000
	timeout server		30000
	retries			3
	server			hydra 192.168.0.19:6050 check inter 1000  

backend backend-speedtest_http_ipv4
	mode			http
	log			global
	rspadd Strict-Transport-Security:\ max-age=31536000;
	timeout connect		30000
	timeout server		30000
	retries			3
	server			speed 192.168.0.19:2020 check inter 1000  

backend backend-audiobooks_http_ipv4
	mode			http
	log			global
	rspadd Strict-Transport-Security:\ max-age=31536000;
	timeout connect		30000
	timeout server		30000
	retries			3
	server			audibooks 192.168.0.19:4040 check inter 1000  

backend backend-books_http_ipv4
	mode			http
	log			global
	rspadd Strict-Transport-Security:\ max-age=31536000;
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			books 192.168.0.19:2202 check inter 1000  

backend backend-plex_http_ipv4
	mode			http
	log			global
	rspadd Strict-Transport-Security:\ max-age=31536000;
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	server			emby_iocage 192.168.0.100:8921 ssl check inter 1000  verify none

PiBa

Sorry, broke that..
Can you try and apply this patch: https://github.com/pfsense/FreeBSD-ports/pull/495/commits/a938d4f6151b3221185eb1a59ed30432b40d9ed7.patch

zwck

Worked like a charm! Thanks anything else you noticed in my haconfig that should be changed?