HAProxy not working with SSL.



  • Hello folks,
    I cannot achieve a proper way to make HAProxy working.
    What I want to achieve is to make multiple websites on different server who are inside my DMZ (with their own IP Address and own SSL certificate) available on the internet. I can make this work for my http (port 80) website but not for my https (port 443) websites.
    So something like this.

    WAN -> virtual (PFsense) -> virtual (DMZ) -> virtual (oneOfMyWebsite):443

    I deleted my actual configuration file, but I made one with what to think to be correct:

            maxconn                 10000
            stats socket /tmp/haproxy.socket level admin
            uid                     80
            gid                     80
            nbproc                  1
            hard-stop-after         15m
            chroot                          /tmp/haproxy_chroot
            daemon
            server-state-file /tmp/haproxy_server_state
    
    listen HAProxyLocalStats
            bind 127.0.0.1:4444 name localstats
            mode http
            stats enable
            stats admin if TRUE
            stats show-legends
            stats uri /haproxy/haproxy_stats.php?haproxystats=1
            timeout client 5000
            timeout connect 5000
            timeout server 5000
    
    frontend FrontEnd-SNI
            bind                    192.168.1.101:443 name 192.168.1.101:443
            mode                    tcp
            log                     global
            timeout client          30000
            tcp-request inspect-delay       5s
            acl                     portalsni       req.ssl_sni -i portal.example.org
            tcp-request content accept if { req.ssl_hello_type 1 }
            use_backend backendSNI_ipvANY  if  portalsni
    
    backend backendSNI_ipvANY
            mode                    tcp
            id                      100
            log                     global
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk OPTIONS /
            server                  portal 1.2.3.4:443 id 101 check inter 1000
    
    
    

    I don't want to use SSL offloading, I prefer to manage everything on the webservers.
    My Pfsense is not running on the 443 ports so it should not interfere with the HAProxy utility.
    I've a rule that opens in the WAN the 443 port.

    Thanks for your help.



  • @Foloder
    So i presume portal.example.org resolves to the IP 192.168.1.101 on the client machine your testing from?
    Also check haproxy's stats page to verify that the server shows as 'up', it probably needs 'ssl-checks' enabled on the backend server if it isn't.

    Other that that the config seems fine..


Log in to reply