HAProxy not working with SSL.
-
Hello folks,
I cannot achieve a proper way to make HAProxy working.
What I want to achieve is to make multiple websites on different server who are inside my DMZ (with their own IP Address and own SSL certificate) available on the internet. I can make this work for my http (port 80) website but not for my https (port 443) websites.
So something like this.WAN -> virtual (PFsense) -> virtual (DMZ) -> virtual (oneOfMyWebsite):443
I deleted my actual configuration file, but I made one with what to think to be correct:
maxconn 10000 stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:4444 name localstats mode http stats enable stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend FrontEnd-SNI bind 192.168.1.101:443 name 192.168.1.101:443 mode tcp log global timeout client 30000 tcp-request inspect-delay 5s acl portalsni req.ssl_sni -i portal.example.org tcp-request content accept if { req.ssl_hello_type 1 } use_backend backendSNI_ipvANY if portalsni backend backendSNI_ipvANY mode tcp id 100 log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server portal 1.2.3.4:443 id 101 check inter 1000I don't want to use SSL offloading, I prefer to manage everything on the webservers.
My Pfsense is not running on the 443 ports so it should not interfere with the HAProxy utility.
I've a rule that opens in the WAN the 443 port.Thanks for your help.
-
@Foloder
So i presume portal.example.org resolves to the IP 192.168.1.101 on the client machine your testing from?
Also check haproxy's stats page to verify that the server shows as 'up', it probably needs 'ssl-checks' enabled on the backend server if it isn't.Other that that the config seems fine..