• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

HAProxy - Reverse proxy ssl error after config reload

Scheduled Pinned Locked Moved Cache/Proxy
6 Posts 2 Posters 2.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • V
    vshaulsk
    last edited by Aug 3, 2018, 6:30 PM

    Good Day!

    I have had a working pf-sense firewall for a few years, with no issues.

    • I started having trouble with the hard drives (some old 5400 RPM laptop drives)
      so, Last weekend, I backed up my configuration.
      Installed some 10K RPM drives and reinstalled pf-sense.
      Reloaded the configuration and everything came back to life, except the HAProxy
    • Till this point the HAProxy was working great as a reverse proxy for several back-ends ....

    All other modules work and the configured as before. Even the HAProxy settings are exactly as they were before the reinstall.

    The HAProxy application is on, but I get an SSL ERROR when trying to connect.

    • Secure connection can not be established- ERR_SSL_Protocol_ERROR-

    So far nothing I have done has resolved the error.

    • different ssl certificate
      -uninstall & reinstall HAProxy
    • tried to reload config

    I can't seem to find a solution. Looking at the config file, everything looks correct......

    Any suggestions as to what maybe causing the problem?

    Also when I remove and reinstall the HAProxy module the configuration is not erased ..... How do I remove the configuration, so that I can rebuild from scratch or just manually reload the saved configuration.

    Thank you for the help!!

    P 1 Reply Last reply Aug 3, 2018, 6:38 PM Reply Quote 0
    • P
      PiBa @vshaulsk
      last edited by PiBa Aug 3, 2018, 6:39 PM Aug 3, 2018, 6:38 PM

      @vshaulsk
      As part of the re-installation you also got a new haproxy package version.. Please check your using the latest version at this moment.. last weeks version had few (more) issues.. that the current one..

      Also double-check your backend server settings, there are now 2 ssl checkboxes.. one for encrypting the healthcheck, one for the actual traffic.. but if your using ssl/https mode with sni, you might not want to encrypt the traffic again in the backend.

      If this dont help, can you post your haproxy.cfg from bottom of settings tab?

      V 1 Reply Last reply Aug 3, 2018, 9:17 PM Reply Quote 0
      • V
        vshaulsk @PiBa
        last edited by Aug 3, 2018, 9:17 PM

        @piba

        Non of the the backends use SSL .... only the front end

        Here is my config:

        Automaticaly generated, dont edit manually.

        Generated on: 2018-08-03 10:16

        global
        maxconn 1000
        stats socket /tmp/haproxy.socket level admin
        uid 80
        gid 80
        nbproc 1
        hard-stop-after 15m
        chroot /tmp/haproxy_chroot
        daemon
        tune.ssl.default-dh-param 2048
        server-state-file /tmp/haproxy_server_state
        # Modern browser compatibility only as mentioned here:
        # https://wiki.mozilla.org/Security/Server_Side_TLS
        ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
        tune.ssl.default-dh-param 2048

        # Time-to-first-Byte (TTFB) value needs to be optimized based on
# the actual public certificate chain see
# https://www.igvita.com/2013/10/24
# /optimizing-tls-record-size-and-buffering-latency/
tune.ssl.maxrecord 1370

        listen HAProxyLocalStats
        bind 127.0.0.1:2200 name localstats
        mode http
        stats enable
        stats admin if TRUE
        stats show-legends
        stats uri /haproxy/haproxy_stats.php?haproxystats=1
        timeout client 5000
        timeout connect 5000
        timeout server 5000

        frontend wanhttp
        bind 134.228.159.239:80 name 134.228.159.239:80
        mode http
        log global
        option http-keep-alive
        option forwardfor
        acl https ssl_fc
        http-request set-header X-Forwarded-Proto http if !https
        http-request set-header X-Forwarded-Proto https if https
        timeout client 30000
        default_backend sslredirect_ipvANY

        frontend wanhttps-merged
        bind 127.0.0.1:2043 name 127.0.0.1:2043 no-sslv3 ssl crt /var/etc/haproxy/wanhttps.pem crt /var/etc/haproxy/wanhttps crt-list /var/etc/haproxy/wanhttps.crt_list accept-proxy npn http/1.1
        mode http
        log global
        option http-keep-alive
        option forwardfor
        acl https ssl_fc
        http-request set-header X-Forwarded-Proto http if !https
        http-request set-header X-Forwarded-Proto https if https
        timeout client 7200000
        # Remove headers that expose security-sensitive information.
        rspidel ^Server:.$
        rspidel ^X-Powered-By:.        $
        rspidel ^X-AspNet-Version:.*$

        # add some security related headers
rspadd Content-Security-Policy:\ default-src\ https:\ data:\ \‘unsafe-inline\\’\ \\'unsafe-eval\'
rspadd X-Frame-Options:\ SAMEORIGIN
rspadd X-Content-Type-Options:\ nosniff
rspadd X-Xss-Protection:\ 1;\ mode=block
acl			aclcrt_wanhttps	var(txn.txnhost) -m reg -i ^shaulskiy\.com(:([0-9]){1,5})?$
acl			shaulskiy.com	var(txn.txnhost) -m str -i shaulskiy.com
acl			www.shaulskiy.com	var(txn.txnhost) -m str -i www.shaulskiy.com
acl			vmusic	var(txn.txnhost) -m str -i vmusic.shaulskiy.com
acl			plexrequests	var(txn.txnhost) -m str -i plex-requests.shaulskiy.com
acl			email	var(txn.txnhost) -m str -i mail.shaulskiy.com
http-request set-var(txn.txnhost) hdr(host)
use_backend shaulskiy_ipvANY  if  shaulskiy.com 
use_backend shaulskiy_ipvANY  if  www.shaulskiy.com 
use_backend vmusic_ipvANY  if  vmusic 
use_backend plexrequests_ipvANY  if  plexrequests 
use_backend email_ipvANY  if  email 
use_backend none_ipvANY  if   aclcrt_wanhttps
default_backend none_ipvANY
default_backend none_ipvANY
default_backend none_ipvANY
default_backend none_ipvANY

        frontend wanexternal-merged
        bind 134.228.159.239:443 name 134.228.159.239:443
        mode tcp
        log global
        timeout client 7200000
        tcp-request inspect-delay 5s
        tcp-request content accept if { req.ssl_hello_type 1 } or !{ req.ssl_hello_type 1 }
        acl acl req.ssl_hello_type 1
        default_backend none_ssl_ipvANY
        default_backend wanhttps_ipvANY

        backend sslredirect_ipvANY
        mode http
        id 107
        log global
        http-response set-header Strict-Transport-Security max-age=31536000;
        rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
        timeout connect 30000
        timeout server 30000
        retries 3
        redirect scheme https code 301

        backend none_ipvANY
        mode http
        id 104
        log global
        http-response set-header Strict-Transport-Security max-age=31536000;
        rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
        timeout connect 30000
        timeout server 30000
        retries 3
        server none 127.0.0.1:80 id 100 disabled

        backend shaulskiy_ipvANY
        mode http
        id 111
        log global
        http-response set-header Strict-Transport-Security max-age=31536000;
        rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
        timeout connect 30000
        timeout server 30000
        retries 3
        option httpchk OPTIONS /
        server shaulskiy 192.168.100.50:80 id 112 check inter 1000

        backend vmusic_ipvANY
        mode http
        id 102
        log global
        http-response set-header Strict-Transport-Security max-age=31536000;
        rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
        timeout connect 30000
        timeout server 30000
        retries 3
        option httpchk OPTIONS /
        server vmusic 192.168.1.31:4040 id 103 check inter 1000

        backend plexrequests_ipvANY
        mode http
        id 113
        log global
        http-response set-header Strict-Transport-Security max-age=31536000;
        rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
        timeout connect 30000
        timeout server 30000
        retries 3
        option httpchk OPTIONS /
        server plexrequests 192.168.1.31:3579 id 114 check inter 1000

        backend email_ipvANY
        mode http
        id 115
        log global
        http-response set-header Strict-Transport-Security max-age=31536000;
        rspirep ^(Set-Cookie:((?!;\ secure).)*)$ \1;\ secure if { ssl_fc }
        timeout connect 30000
        timeout server 30000
        retries 3
        option httpchk OPTIONS /
        server email 192.168.100.6:443 id 116 ssl check inter 1000 verify none

        backend none_ssl_ipvANY
        mode tcp
        id 105
        log global
        timeout connect 30000
        timeout server 30000
        retries 3
        server none 127.0.0.1:80 id 106 disabled

        backend wanhttps_ipvANY
        mode tcp
        id 109
        log global
        timeout connect 30000
        timeout server 7200000
        retries 3
        server wanhttps 127.0.0.1:2043 id 110 ssl verify none send-proxy

        P 2 Replies Last reply Aug 3, 2018, 9:41 PM Reply Quote 0
        • P
          PiBa @vshaulsk
          last edited by Aug 3, 2018, 9:41 PM

          @vshaulsk said in HAProxy - Reverse proxy ssl error after config reload:

          server wanhttps 127.0.0.1:2043 id 110 ssl verify none send-proxy

          Looks like that does have a SSL checkbox set.? Where perhaps it should not be.?
          If its on the 'encrypt ssl', change that to the 'ssl check' box perhaps?

          V 1 Reply Last reply Aug 4, 2018, 12:15 AM Reply Quote 0
          • P
            PiBa @vshaulsk
            last edited by Aug 3, 2018, 10:01 PM

            @vshaulsk
            Also this frontend has 2 defaults, but no way to determine which backend it should actually take..
            You will need to add acl's and use_backend actions there..

            frontend wanexternal-merged
	default_backend none_ssl_ipvANY
	default_backend wanhttps_ipvANY
            1 Reply Last reply Reply Quote 0
            • V
              vshaulsk @PiBa
              last edited by Aug 4, 2018, 12:15 AM

              @piba

              You were correct, I had to change the SSL checkbox for the wanhttps

              Now everything is working and I am back to the SSL Labs A+ rating (if that is worth anything)

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received