Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    HAProxy Backend Problem since upgrade

    Scheduled Pinned Locked Moved Cache/Proxy
    2 Posts 1 Posters 567 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vito
      last edited by

      hello,
      We had a working HAProxy setup on 2.4.5.x prior to upgrading to current build

      Setup:
      One shared front end with multiple backends (about 4)
      Front end cert is good (wild card cert is used on the front end)
      Any of the the backends that were configured to communicate on 443 / Encrypt fail to connect with a 503. (They all respond and work on 443 locally and internally)

      We tried with the self signed and real cert (importing the wildcard from pfsense to the backends), still nothing
      Changing the backend to 80 (or non ssl port) works

      Looking around it seems it is from the ssl handshake.

      Acl are pretty basic... If host matches..use back end...

      I assume i am missing something in the newer HAProxyDev package to get this to work or bypass any cert verification?

      Any help is appreciated!

      Thanks in advance.

      1 Reply Last reply Reply Quote 0
      • V
        vito
        last edited by

        UPDATE:
        This is a HA Proxy Dev problem it appears

        We had Dev on 2.4.5 prior to 21.0x
        When updating, HA Proxy dev went to a different version which is now not working with SSL backends. From what research we have seen and tried, it is a SSL handshake problem.
        We tried, reduced SSL settings, real trusted certs...and so on.

        The only fix was to uninstall HA Dev and install the normal HA Proxy Package
        Same config, works fine. (old 2.4.5 HA Dev is Current 21.05.1 Prod HA Proxy...or close)

        Not sure what changed in the versions to break our setup.

        Any insight would be appreciated if you have seen this behavior

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.