Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Update 2.4.3 to 2.4.4 HAProxy Error code: SSL_ERROR_RX_RECORD_TOO_LONG

    Cache/Proxy
    3
    3
    538
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      WispAwayIS
      last edited by WispAwayIS

      Re: Problem with new update to HaProxy
      My setup is a little different than @cjbujold but essentially the same outcome.

      I can confirm this is an issue with the way the haproxy package updates and translates the config from haproxy-1.7.10 to haproxy17-1.7.11_1.

      In haproxy-1.7.10, my ssl offload frontends have only one backend:

      2.4.3-Services_HAProxy_Frontend_-edge.wispaway.net-_2019-10-31_23.42.05.jpg
      Services_HAProxy_Backend_Edit_-edge.wispaway.net-_2019-10-31_22.45.04.jpg
      Above you can see that SSL is set to 'yes' in my working 1.7.10 setup but below I only see 'check-ssl' in the rendered config.

      backend WAN_HTTPS_tcp_ipvANY
      	mode			tcp
      	log			global
      	balance			roundrobin
      	timeout connect		30000
      	timeout server		7200000
      	retries			3
      	server			WAN_HTTPS 127.0.0.1:2043 check-ssl  verify none resolvers globalresolvers send-proxy
      

      After updating to haproxy17-1.7.11_1, I suddenly have 2 different backends and a broken config throwing the Error code: SSL_ERROR_RX_RECORD_TOO_LONG that brought me here:

      2.4.4-Services_HAProxy_Frontend_-edge.wispaway.net-_2019-10-31_23.30.45.jpg

      After reading the linked post and fixing my issue, I went back to see what happened and found that when updating the config the Encrypt(SSL) flag gets set on the backend of the same name, not the new shared backend that's been magically created.

      It's right there in the rendered config:

      backend WAN_HTTPS_ssl_ipvANY
      	mode			tcp
      	id			122
      	log			global
      	timeout connect		30000
      	timeout server		7200000
      	retries			3
      	server			WAN-HTTPS 127.0.0.1:2043 id 123 check-ssl  verify none resolvers globalresolvers send-proxy 
      
      backend WAN_HTTPS_ipvANY
      	mode			tcp
      	id			121
      	log			global
      	timeout connect		30000
      	timeout server		7200000
      	retries			3
      	server			WAN-HTTPS 127.0.0.1:2043 id 140 ssl  verify none resolvers globalresolvers send-proxy
      

      Moving the 'ssl' flag to the magic backend fixes the issue:

      backend WAN_HTTPS_ssl_ipvANY
      	mode			tcp
      	id			118
      	log			global
      	balance			roundrobin
      	timeout connect		30000
      	timeout server		7200000
      	retries			3
      	server			WAN_HTTPS 127.0.0.1:2043 id 119 ssl check-ssl  verify none resolvers globalresolvers send-proxy 
      
      backend WAN_HTTPS_ipvANY
      	mode			tcp
      	id			117
      	log			global
      	balance			roundrobin
      	timeout connect		30000
      	timeout server		7200000
      	retries			3
      	server			WAN_HTTPS 127.0.0.1:2043 id 100  resolvers globalresolvers send-proxy
      

      Hope this helps somebody fix it quick. Users and Devs alike. 😉

      Also Charles

      P 1 Reply Last reply Reply Quote 0
      • P
        PiBa @WispAwayIS
        last edited by

        @WispAwayIS
        Hi you can likely resolve the issue by configuring the two separated ssl checkboxes on the backend server configuration properly. Your screenshot above shows an old package version with only 1 ssl checkbox.

        As for the configuration upgrade in the pfSense package, yes i'm sorry there is a problem in some cases with it. But the package with 2 checkboxes has been around for quite a while now and i don't think i should try and fix the old upgrade code. As it seemed at the time there was a chance it would do the wrong thing either way.. i tried to upgrade it seamlessly but obviously there was a mistake in the 'config upgrade code' somewhere. But now it no-longer needs to 'auto-magically' determine if the backend should or shouldn't use ssl encryption for traffic, for checks or both.. Also i think most users have already upgraded their haproxy package quite a while.. but maybe i'm wrong there..

        1 Reply Last reply Reply Quote 0
        • dragoangelD
          dragoangel
          last edited by

          Forget about HAproxy "stable" - it like dinosaur, use only devel version which is "stable and old too but not dinosaur". I hope with pfSense 2.5 it will update to 1.9 or 2.0

          Latest stable pfSense on 2x XG-7100 and 1x Intel Xeon Server, running mutiWAN, he.net IPv6, pfBlockerNG-devel, HAProxy-devel, Syslog-ng, Zabbix-agent, OpenVPN, IPsec site-to-site, DNS-over-TLS...
          Unifi AP-AC-LR with EAP RADIUS, US-24

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.