HAProxy - Slow "Establishing Secure Connection" ??
-
I have HAProxy and ACME setup. Domain is with NameCheap, Cloudflare is controlling the DNS. They have an A record that points to my public IP but they proxy it so my public is hidden. I also have DNSSEC enabled between Cloudflare and NameCheap. ACME registered a wildcard SSL. This SSL is applied to my internal only sites.
I've noticed that primarily on Chromium based browsers although Firefox sort of has this issue too, that when loading an internal site with SSL, it hangs at "Establishing Secure Connection" for about 15 seconds. It eventually loads.
I never had this issue with Nginx Proxy Manager. Any ideas on what this could be? I noticed that support on HAProxy is a bit... slow, is there more of an official spot? I'm trying to be patient... :)
Thank you in advance.
-
@creationguy So you notice this slowness when you access this site locally, or when remote or both?
I use cloudflare for dns, but I do not proxy - just dns.
So dns query returns my actual public IP, so when internally I hit my pfsense wan IP directly, and this gets proxied into to my server and does ssl offload. Via a acme cert.
The same thing happens when remote, the user directly hits my pfsense wan IP, and same proxy happens with haproxy.
In your setup with cloudflare you would be hitting cloudflare, and then it would talk to your wan, and then again proxied. This would happen both remote or locally - unless you were doing a host override locally?
I would think running through 2 proxies could introduce a bit of performance hit. How much that would be can not say.. But it would be possible for that to cause some sort of delay, be it noticeable or not?
When you proxy ssl through cloudflare - you are making a end to end connection to them that is via ssl, and has to go through the handshake, they then make another connection to your IP and a new ssl connection has to be made.. And cloudflare doesn't even start the connection to your actual IP until that first connection is established. So you could see how that could introduce some extra overhead..
-
@johnpoz I'm not sure how to answer some of your questions with words as it's a learning curve for me.
I went from mydomain.lan to mydomain.net because I was tired of having to accept the SSL compliant for the browsers each time I used a new system or VM, etc.
I watched this video and did some research, basically, I don't do anything with the domain other than use it for the wild card SSL. I only use Cloudflare for the a record proxy.
ACME registered the wildcard SSL and HAProxy is applying that to certain docker containers on my proxmox server.
Under System / General Setup
Domain: is mydomain.net
Is there a better way to accomplish SSL for internal sites? They will not be reach via external unless through Wireguard.
-
@creationguy
Any further ideas?
