HAProxy not working with SSL.

  • Hello folks,
    I cannot achieve a proper way to make HAProxy working.
    What I want to achieve is to make multiple websites on different server who are inside my DMZ (with their own IP Address and own SSL certificate) available on the internet. I can make this work for my http (port 80) website but not for my https (port 443) websites.
    So something like this.

    WAN -> virtual (PFsense) -> virtual (DMZ) -> virtual (oneOfMyWebsite):443

    I deleted my actual configuration file, but I made one with what to think to be correct:

            maxconn                 10000
            stats socket /tmp/haproxy.socket level admin
            uid                     80
            gid                     80
            nbproc                  1
            hard-stop-after         15m
            chroot                          /tmp/haproxy_chroot
            server-state-file /tmp/haproxy_server_state
    listen HAProxyLocalStats
            bind name localstats
            mode http
            stats enable
            stats admin if TRUE
            stats show-legends
            stats uri /haproxy/haproxy_stats.php?haproxystats=1
            timeout client 5000
            timeout connect 5000
            timeout server 5000
    frontend FrontEnd-SNI
            bind           name
            mode                    tcp
            log                     global
            timeout client          30000
            tcp-request inspect-delay       5s
            acl                     portalsni       req.ssl_sni -i portal.example.org
            tcp-request content accept if { req.ssl_hello_type 1 }
            use_backend backendSNI_ipvANY  if  portalsni
    backend backendSNI_ipvANY
            mode                    tcp
            id                      100
            log                     global
            timeout connect         30000
            timeout server          30000
            retries                 3
            option                  httpchk OPTIONS /
            server                  portal id 101 check inter 1000

    I don't want to use SSL offloading, I prefer to manage everything on the webservers.
    My Pfsense is not running on the 443 ports so it should not interfere with the HAProxy utility.
    I've a rule that opens in the WAN the 443 port.

    Thanks for your help.

  • @Foloder
    So i presume portal.example.org resolves to the IP on the client machine your testing from?
    Also check haproxy's stats page to verify that the server shows as 'up', it probably needs 'ssl-checks' enabled on the backend server if it isn't.

    Other that that the config seems fine..

Log in to reply