Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Updated to 0.55 HAproxy now Strange SSL error when Offloading

    Cache/Proxy
    2
    3
    571
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zwck
      last edited by

      I had a working HAproxy Configuration, however after updating to 0.55 the SSL offloading Part of my config seems to be broken.

      Were there some breaking changes that i have missed?

      Here my config:

      
      # Automaticaly generated, dont edit manually.
      # Generated on: 2018-01-12 06:52
      global
      	maxconn			20000
      	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
      	gid			80
      	nbproc			1
      	nbthread			1
      	hard-stop-after		15m
      	chroot				/tmp/haproxy_chroot
      	daemon
      	tune.ssl.default-dh-param	2048
      	server-state-file /tmp/haproxy_server_state
      	tune.ssl.maxrecord 1370
      	ssl-default-bind-options no-sslv3 no-tls-tickets
      	ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
      
      listen HAProxyLocalStats
      	bind 127.0.0.1:2200 name localstats
      	mode http
      	stats enable
      	stats admin if TRUE
      	stats uri /haproxy/haproxy_stats.php?haproxystats=1
      	timeout client 5000
      	timeout connect 5000
      	timeout server 5000
      
      frontend frontend1_http
      	bind			192.168.0.15:80 name 192.168.0.15:80   
      	mode			http
      	log			global
      	option			http-keep-alive
      	option			forwardfor
      	acl https ssl_fc
      	http-request set-header		X-Forwarded-Proto http if !https
      	http-request set-header		X-Forwarded-Proto https if https
      	timeout client		30000
      	acl			acl-http	hdr_beg(host) -i test.example.io
      	acl			acl-https	hdr_beg(host) -i chat
      	acl			acl-https	hdr_beg(host) -i ombi
      	acl			acl-https	hdr_beg(host) -i mb
      	acl			acl-https	hdr_beg(host) -i rss
      	acl			acl-https	hdr_beg(host) -i latex
      	acl			acl-https	hdr_beg(host) -i blog
      	acl			acl-https	hdr_beg(host) -i jd
      	acl			acl-https	hdr_beg(host) -i home
      	acl			acl-https	hdr_beg(host) -i fab
      	acl			acl-https	hdr_beg(host) -i pf
      	acl			acl-https	hdr_beg(host) -i hydra
      	acl			acl-https	hdr_beg(host) -i b.example.io
      	acl			acl-https	hdr_beg(host) -i ab.example.io
      	acl			acl-https	hdr_beg(host) -i speed
      	acl			acl-https	hdr_beg(host) -i plex
      	http-request redirect scheme https  if  acl-https 
      	use_backend backend-speedtest_http_ipvANY  if  acl-http 
      
      frontend frontend2_sni
      	bind			192.168.0.15:443 name 192.168.0.15:443   
      	mode			tcp
      	log			global
      	timeout client		30000
      	tcp-request inspect-delay	5s
      	acl			cloud_sni	req.ssl_sni -m beg -i cloud
      	tcp-request content accept if { req.ssl_hello_type 1 }
      
      	use_backend backend_cloud_https_ipvANY  if  cloud_sni 
      	default_backend backend_offloading_https_ipvANY
      
      frontend frontend3_offloading
      	bind			127.0.0.1:1443 name 127.0.0.1:1443  ssl  crt /var/etc/haproxy/frontend3_offloading.pem crt-list /var/etc/haproxy/frontend3_offloading.crt_list  
      	bind /tmp/haproxy_chroot/frontend3_offloading.socket name unixsocket uid 80 accept-proxy   crt /var/etc/haproxy/frontend3_offloading.pem 
      	mode			http
      	log			global
      	option			http-keep-alive
      	option			forwardfor
      	acl https ssl_fc
      	http-request set-header		X-Forwarded-Proto http if !https
      	http-request set-header		X-Forwarded-Proto https if https
      	timeout client		30000
      	#
      	#rspidel ^Server:.*$
      	#rspidel ^X-Powered-By:.*$
      	#rspidel ^X-AspNet-Version:.*$
      	#http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
      	#http-response set-header X-Frame-Options SAMEDOMAIN
      	#http-response set-header X-Content-Type-Options nosniff	
      	acl			chatACL	hdr_beg(host) -i chat
      	acl			ombiACL	hdr_beg(host) -i ombi
      	acl			latexACL	hdr_beg(host) -i latex
      	acl			rssACL	hdr_beg(host) -i rss
      	acl			mbACL	hdr_beg(host) -i mb
      	acl			embyACL	hdr_beg(host) -i emby
      	acl			plexACL	hdr_beg(host) -i plex
      	acl			jdACL	hdr_beg(host) -i jd
      	acl			homeACL	hdr_beg(host) -i home
      	acl			fabACL	hdr_beg(host) -i fab
      	acl			pfACL	hdr_beg(host) -i pf
      	acl			hydraACL	hdr_beg(host) -i hydra
      	acl			speedACL	hdr_beg(host) -i speed
      	acl			audiobooksACL	hdr(host) -i ab.example.io
      	acl			booksACL	hdr(host) -i b.example.io
      	acl			aclcrt_frontend3_offloading	hdr_reg(host) -i ^([^\.]*)\.domain\.de(:([0-9]){1,5})?$
      	acl			aclcrt_frontend3_offloading	hdr_reg(host) -i ^domain\.de(:([0-9]){1,5})?$
      	use_backend backend-chat_http_ipv4  if  chatACL aclcrt_frontend3_offloading
      	use_backend backend-ombi_http_ipv4  if  ombiACL aclcrt_frontend3_offloading
      	use_backend backend-latex_http_ipv4  if  latexACL aclcrt_frontend3_offloading
      	use_backend backend-rss_http_ipv4  if  rssACL aclcrt_frontend3_offloading
      	use_backend backend-emby_http_ipv4  if  embyACL aclcrt_frontend3_offloading
      	use_backend backend-jd_http_ipv4  if  jdACL aclcrt_frontend3_offloading
      	use_backend backend-emby_http_ipv4  if  mbACL aclcrt_frontend3_offloading
      	use_backend backend-home_http_ipv4  if  homeACL aclcrt_frontend3_offloading
      	use_backend backend-fabian-blog_http_ipv4  if  fabACL aclcrt_frontend3_offloading
      	use_backend backend-pf_http_ipv4  if  pfACL aclcrt_frontend3_offloading
      	use_backend backend-hydra_http_ipv4  if  hydraACL aclcrt_frontend3_offloading
      	use_backend backend-speedtest_http_ipv4  if  speedACL aclcrt_frontend3_offloading
      	use_backend backend-audiobooks_http_ipv4  if  audiobooksACL aclcrt_frontend3_offloading
      	use_backend backend-books_http_ipv4  if  booksACL aclcrt_frontend3_offloading
      	use_backend backend-plex_http_ipv4  if  plexACL aclcrt_frontend3_offloading
      
      backend backend-speedtest_http_ipvANY
      	mode			http
      	log			global
      	rspadd Strict-Transport-Security:\ max-age=31536000;
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	server			speed 192.168.0.19:2020 check inter 1000  
      
      backend backend_cloud_https_ipvANY
      	mode			tcp
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	server			cloud 192.168.0.21:2443 check-ssl  verify none 
      
      backend backend_offloading_https_ipvANY
      	mode			tcp
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	server			backend-to-frontend /frontend3_offloading.socket send-proxy-v2-ssl-cn check inter 1000  
      
      backend backend-chat_http_ipv4
      	mode			http
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	server			chat 192.168.0.21:3000 check inter 1000  
      
      backend backend-ombi_http_ipv4
      	mode			http
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	server			ombi 192.168.0.19:3579 check inter 1000  
      
      backend backend-latex_http_ipv4
      	mode			http
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	server			latex 192.168.0.21:5000 check inter 1000  
      
      backend backend-rss_http_ipv4
      	mode			http
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	server			rss 192.168.0.21:2280 check inter 1000  
      
      backend backend-emby_http_ipv4
      	mode			http
      	log			global
      	rspadd Strict-Transport-Security:\ max-age=31536000;
      	errorfile			503 /var/etc/haproxy/errorfile_backend-emby_http_ipv4_503_customerror
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	source ipv4@ usesrc clientip
      	# add some security related headers
      	# rspadd Content-Security-Policy:\ default-src\ https:\ data:\ 'unsafe-inline'\ 'unsafe-eval'
      	rspadd X-Frame-Options:\ SAMEORIGIN
      	rspadd X-Content-Type-Options:\ nosniff
      	rspadd X-Xss-Protection:\ 1;\ mode=block
      	server			emby_iocage 192.168.0.100:8097 check inter 1000  
      
      backend backend-jd_http_ipv4
      	mode			http
      	log			global
      	rspadd Strict-Transport-Security:\ max-age=31536000;
      	errorfile			503 /var/etc/haproxy/errorfile_backend-jd_http_ipv4_503_customerror
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	server			jd 192.168.0.21:2280 check inter 1000  
      
      backend backend-home_http_ipv4
      	mode			http
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	server			homepi 192.168.0.191:8123 check inter 1000  
      
      backend backend-fabian-blog_http_ipv4
      	mode			http
      	log			global
      	rspadd Strict-Transport-Security:\ max-age=31536000;
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	server			chat 192.168.0.21:2370 check inter 1000  
      
      backend backend-pf_http_ipv4
      	mode			http
      	log			global
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	server			pf-rancherqnap 192.168.0.19:9001 check inter 1000  
      
      backend backend-hydra_http_ipv4
      	mode			http
      	log			global
      	rspadd Strict-Transport-Security:\ max-age=31536000;
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	server			hydra 192.168.0.19:6050 check inter 1000  
      
      backend backend-speedtest_http_ipv4
      	mode			http
      	log			global
      	rspadd Strict-Transport-Security:\ max-age=31536000;
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	server			speed 192.168.0.19:2020 check inter 1000  
      
      backend backend-audiobooks_http_ipv4
      	mode			http
      	log			global
      	rspadd Strict-Transport-Security:\ max-age=31536000;
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	server			audibooks 192.168.0.19:4040 check inter 1000  
      
      backend backend-books_http_ipv4
      	mode			http
      	log			global
      	rspadd Strict-Transport-Security:\ max-age=31536000;
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	source ipv4@ usesrc clientip
      	server			books 192.168.0.19:2202 check inter 1000  
      
      backend backend-plex_http_ipv4
      	mode			http
      	log			global
      	rspadd Strict-Transport-Security:\ max-age=31536000;
      	timeout connect		30000
      	timeout server		30000
      	retries			3
      	source ipv4@ usesrc clientip
      	server			emby_iocage 192.168.0.100:8921 ssl check inter 1000  verify none
      
      
      1 Reply Last reply Reply Quote 0
      • P
        PiBa
        last edited by

        Sorry, broke that..
        Can you try and apply this patch: https://github.com/pfsense/FreeBSD-ports/pull/495/commits/a938d4f6151b3221185eb1a59ed30432b40d9ed7.patch

        1 Reply Last reply Reply Quote 0
        • Z
          zwck
          last edited by

          Worked like a charm! Thanks anything else you noticed in my haconfig that should be changed?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.