HAProxy SSL Backend Down (L6TOUT)
-
Hi guys,
I've recently setup haproxy to reverse proxy and add certificate in front 3 web services running on a single device (one IP Address).
2 of these run ssl by default and 1 doesn't.
So I managed to get one of the SSL ones (Openhab) running ok and presenting its own cert on the frontend. But the other one, Unifi Controller, doesn't work with the same config. I get L6TOUT which I understand is TLS related.
The last one running plain http also works without any issuesAll backends work perfectly if I go directly.
This is the config from pfsense
# Automaticaly generated, dont edit manually. # Generated on: 2019-05-22 07:53 global maxconn 100 stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 log-send-hostname cucaproxy server-state-file /tmp/haproxy_server_state # set default parameters to the modern configuration # using mozilla config generator: https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets # Time-to-first-Byte (TTFB) value needs to be optimized based on # the actual public certificate chain see # https://www.igvita.com/2013/10/24 # /optimizing-tls-record-size-and-buffering-latency/ tune.ssl.maxrecord 1370 listen HAProxyLocalStats bind 127.0.0.1:2200 name localstats mode http stats enable stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend shared-frontend-merged bind 172.17.17.1:443 name 172.17.17.1:443 ssl crt-list /var/etc/haproxy/shared-frontend.crt_list mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 acl aclcrt_shared-frontend var(txn.txnhost) -m reg -i ^([^\.]*)\.mydomain\.com\.ar(:([0-9]){1,5})?$ acl OHAB var(txn.txnhost) -m str -i ohab.mydomain.com.ar acl aclcrt_OpenHAB-Frontend var(txn.txnhost) -m reg -i ^ohab\.mydomain\.com\.ar(:([0-9]){1,5})?$ acl homeassistant var(txn.txnhost) -m str -i homeassistant.mydomain.com.ar acl aclcrt_HomeAssistant-Frontend var(txn.txnhost) -m reg -i ^homeassistant\.mydomain\.com\.ar(:([0-9]){1,5})?$ acl unifi var(txn.txnhost) -m str -i unifi.mydomain.com.ar acl aclcrt_Unifi var(txn.txnhost) -m reg -i ^unifi\.mydomain\.com\.ar(:([0-9]){1,5})?$ http-request set-var(txn.txnhost) hdr(host) use_backend OpenHAB_ipvANY if OHAB aclcrt_OpenHAB-Frontend use_backend HomeAssistant_ipvANY if homeassistant aclcrt_HomeAssistant-Frontend use_backend Unifi-Controller_ipvANY if unifi aclcrt_Unifi frontend http-to-https bind 172.17.17.1:80 name 172.17.17.1:80 mode http log global option http-keep-alive timeout client 30000 http-request redirect scheme https backend OpenHAB_ipvANY mode http id 100 log global http-response set-header Strict-Transport-Security max-age=1; timeout connect 30000 timeout server 7200000 retries 3 option httpchk OPTIONS / server openhab 172.17.17.10:9001 id 101 ssl check inter 1000 verify none backend HomeAssistant_ipvANY mode http id 103 log global http-response set-header Strict-Transport-Security max-age=1; timeout connect 30000 timeout server 7200000 retries 3 option httpchk GET / server homeassistant 172.17.17.10:8123 id 101 check inter 1000 backend Unifi-Controller_ipvANY mode http id 102 log global http-response set-header Strict-Transport-Security max-age=1; timeout connect 30000 timeout server 7200000 retries 2 option httpchk HEAD / server unifi 172.17.17.10:8443 id 101 ssl check inter 1000 verify noneThis is the output when going direct
$ openssl s_client -connect 172.17.17.10:8443 CONNECTED(00000005) depth=0 CN = unifi verify error:num=18:self signed certificate verify return:1 depth=0 CN = unifi verify return:1 --- Certificate chain 0 s:CN = unifi i:CN = unifi --- Server certificate -----BEGIN CERTIFICATE----- MIIEvzCCAqegAwIBAgIERbK8LjANBgkqhkiG9w0BAQsFADAQMQ4wDAYDVQQDEwV1 bmlmaTAeFw0xOTA1MTgwMzIyNThaFw0yNDA1MTYwMzIyNThaMBAxDjAMBgNVBAMT BXVuaWZpMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmYBwLQtmbCCu 5xvdkXg8AkRaR386l6L5ikbMUurBW8Ewyeni03nJGIiZVO0k8YR4qJUa0A0rApL9 JVTSYXmeuHQZNUKAtQSy3SXOTpgsdKOfh/NePP8yNzP4wQzSctF++PvuDb2kwFJN ++s4xzrfyU3LuRX7IEl6JXZj06mZV6Jmm67wU1Sbe9YflvUfjazUnUWLnTjPu4og hDrYrr5z1OuqPbf6ixgR8qLceX42UZkPFO/tXBCboQLhvTSTqeTxtw/LauWCNt/m pWJny3tXj3PIT/udu6To26riEK+kOr7vmjgPlBKdDKkMBb9kp/JvS/vegYSfmiT6 WVbf+N/SJMhiwmeigE3PYJESPN1Rp5wD9MnebG0NPiQG1QD0M1EexaVUJSZBKWqk rHAQSKK9Q7WVdB/6a034MmwsXFYtb99gMQSd0Ncn3zrLjJTunNLm0Y/5Ra5Bumw9 HKbGlwsGj6BCUoMWgbo+63VXhwDX5JhzwZVaXbWTooreCUHvw5mpzxGV9P8b5Vv+ /FPBGfucYMRr72+SIopKN6MGdrJqjDc3SgWh+8sMO6w4e4T8JTGf9QEeeoGvCsy7 JQYXi2mZ4U4SwTqv2WSgmgtDhwzF6Q1mhqPiVsaIiWGO8ozED87LomBLtfDax88b 3+dP23iu56fblO0wfbN16+Uz5s7hhsECAwEAAaMhMB8wHQYDVR0OBBYEFNiZe95z gcB/aKhP8eG2zPIklt2RMA0GCSqGSIb3DQEBCwUAA4ICAQCMqIbahxe/QFUsv3R5 m9j0qKC+reJZbgTxjEcxlz4Cu8HcdZtlJIKPhj+ZgTrr+hhZCV3W23/byvrq3dJe F7pdR7wv7Q1ZaBW1k1yveG4qMfFTH+hrZGspAqoZH7LR7rFHgiYRz4eInoUPoYgj Okz1aMUNs81P2m5SWddZoomEmJc5A76q3e+GLgzdnDjL7FXCfJeNbrGpJt06XZIg RnSiWkeKLxWGoF2F97f+2WqEU7GMspr6/2jVAPAkCR9Z20P1cEb2raEoM7K135Th FWXlIXYRZCiURRRVPO3RAzd1rk+Lit/m5P6YMADakkW97wFXe1vvgapGXljPIr8D z9Da6ad89STgG8wMphgBPKAZlqie2CWP5kRLejMSl4Z8Em5yG3FHMEcFdKPMuedK poyglInubzxAXLd4+AtphFDQjFh8PeZ2/NzVF6mtEpTHZLsTUevk9hsXh4vKpK2g B5rdYbXi2Qlup8EPfY4IY4DvCDFs4FpeO5fDhmcUJVkGhhOjPcNDuQM++7LEg7EZ VLsiU0oUVY1P6wW2z6nnb5pxXQphLM4AeeqdeUjupBuPG0J1VEiC7ywHSxDDtCmi hyO8BYEy8H1/wgOS4ubRBhEb2ILxQB5dn8UjsVCWjfHvPauKBfKJyEer9lmpW0GE ZCvjnpE4SyDBXgXdgop7a3YStw== -----END CERTIFICATE----- subject=CN = unifi issuer=CN = unifi --- No client certificate CA names sent Peer signing digest: SHA256 Peer signature type: RSA Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 1963 bytes and written 440 bytes Verification error: self signed certificate --- New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES128-GCM-SHA256 Session-ID: 5CE455FD452CFEB4BBF84E2AF5D0488404E6EAEFE362D90A954448ABACA274AB Session-ID-ctx: Master-Key: 7C9E178E32A1A48CFF55018AF8C7FD924D8E9788201615216B532FB5242B43CB96E29C0D0E1807BE89C1CD75F3CE06F4 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1558468093 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) Extended master secret: yes ---Any ideas what I might be doing wrong? I'm pretty new to haproxy. None of these are internet accessible, they are entirely internal.
Thanks,
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.