hello list,
I am attempting to load balance SSL web servers using haproxy on centos 5.7.
I am using HA-Proxy version 1.4.18
Here is the stanza in the config regarding SSL:
listen https 192.168.1.200:443 mode tcp balance roundrobin option forwardfor except 192.168.1.200 option redispatch maxconn 10000 reqadd X-Forwarded-Proto:\ https server web1 web1.summitnjhome.com:443 maxconn 5000 server web2 web2.summitnjhome.com:443 maxconn 5000
I can connect to https on each web server and have it serve content. the IP 192.168.1.200 is a virtual IP created with keepalived and floating between two load balancers.
I can connect to the virtual ip via openssl s_connect and GET / where i see the source code for the home page
openssl s_client -connect 192.168.1.200:443
CONNECTED(00000003) --- Certificate chain 0 s:/C=US/ST=NJ/L=Summit/O=SNJH/CN=*.example.com/emailAddress=bluethundr@example.com i:/C=US/ST=NJ/L=Summit/O=SNJH/CN=*.example.com/emailAddress=bluethundr@example.com --- Server certificate -----BEGIN CERTIFICATE----- MIIFejCCA2ICCQCjGRFk9cQ13zANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJV UzELMAkGA1UECBMCTkoxDzANBgNVBAcTBlN1bW1pdDENMAsGA1UEChMEU05KSDEb MBkGA1UEAwwSKi5zdW1taXRuamhvbWUuY29tMSYwJAYJKoZIhvcNAQkBFhdibHVl dGh1bmRyQGpva2VmaXJlLmNvbTAeFw0xMTA5MjUwMjU4NTRaFw0xMjA5MjQwMjU4 NTRaMH8xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOSjEPMA0GA1UEBxMGU3VtbWl0 MQ0wCwFAKEFDATA4Yj2LgSBwxezlE CMmqfE0Sg0lgKe3jmyzNHCAHGrzMKVdIUW7UBI+V4wZyE08Mw3HUh13To6DzBnmp ET+zvFk5uUnbpzk3FWYFPPxiESuIEQKmi+MzrPnM6hjKc+Caq7rBxdWvg0d8eNsN t2+UJxTJpnucgnAtIbAktNlsbYhb4Yw9iFs1YecPqvtaS22ZsChmlDAwpQYhn88p OK+K9qOg8bMYThe6xPaAK1sMk+YfmhSPIaT974FYSIeFeY8fFa8zIZbiUcSxOnyM fI/xh2uMwJkpxzHBXJWQxP3LZlgghSyuzL9j/g16xLZ3BotYwTGqHzMuoDVXQijq 92YTmeSl5bPaNro1stExh4ug+zk2IqrowciZ1Ehk1vQKCl31GjLKFX1P3fhwjt0o /lQBnIgRtBFSI9RVP41+PTPjXXVzhqlgf3h1oFJ36sOQeg8342Hu0UWFg6gpy+q/ 7iyuVV0CAwEAATANBgkqhkiG9w0BAQUFAAOCAgEABdQxDHPkpQV+A1RnwGP9nGNC 1uR+MTnuuowiUIEsTkSTipSlviVHlJx8CYDkQ3kcBiPJk6SjuOT8WrFu9D7+nAr8 7SNGknoe7flxhxI0fIqeLaQIncEAliv5mzw/agj2htn7GTmhP3At+JD3e3FYCrLI kUoom53wLzJvoSu2ixBdY9yLQePC5AYBIlI6RVyCLMPQVen0fvgI7Ecyx+vvpjvD Cu+rnGKxplPwROlFe2NPrLrV7pnGYGNcLSkO5fF32b3XvKob+xRG+rCUvmYtHA6y 6lEOBz8prwfc6ZTum+9vpb5ONmWtSaYn7mjPR/jw55kLSZ+NggW5YH6lqL8jb8b0 kNHZKgInSFSmoMY2W7pEq4ZQ5S8m5VrruBzqXNnCJ5NmQqF8bM97k81ATZoZ+r6z oo51BfFGJSQdnGJNDJnBnl7bf9ynSbkYV3VidRNGHm+Gr/YYP32ITihlZLTioCmk Wt+2x0xRk5jUS+MjCn5ozYTph3PxU/wW913+HCjDzx0g4fDLYW+YbWmV4zdls/Z7 pxdYaFDR594Ov1H7E2wPZeWBmR+7kT2ZFwOXVQb0qF2Dx5Q0dbZ9TEu8rTJ7jdjD he/odOx11Qmiau/UYd5c0Pop6dJu3NhnlromNSAKR5QlTWE4UerOOyxwV+OklsDt 8qijXOiRdqk4efqL4cs= -----END CERTIFICATE----- subject=/C=US/ST=NJ/L=Summit/O=SNJH/CN=*.example.com/emailAddress=bluethundr@example.com issuer=/C=US/ST=NJ/L=Summit/O=SNJH/CN=*.example.com/emailAddress=bluethundr@example.com --- No client certificate CA names sent --- SSL handshake has read 2361 bytes and written 319 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 74AE373F9F177593D9CF8FFDFE2EDEB6C11958BF03E5315FC49C0641A17A6277 Session-ID-ctx: Master-Key: E4C07C8D40B045FB30F612966F587AC30E3859913795B22D586D598F9EB3FE5BD97F6511920793E29EA363FE9A3961DD Key-Arg : None Krb5 Principal: None Start Time: 1318902076 Timeout : 300 (sec) Verify return code: 18 (self signed certificate) --- <html> <head> <img src='Illustration.jpg'</img> </head> </html> closed
For now it's just a demo page with more complex content living deeper in the directory structure.
A port scan with nmap shows that port 443 is open...
[root@VIRTCENT02:~] #nmap -p 443 192.168.1.200
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-10-17 21:59 EDT Interesting ports on 192.168.1.200: PORT STATE SERVICE 443/tcp open https
And the port 443 is being listened to..
[root@VIRTCENT02:~] #lsof -i :443 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME haproxy 1763 haproxy 6u IPv4 7586 TCP VIRTUAL.example.com:https (LISTEN)
[root@VIRTCENT01:~] #netstat -tulpn | grep 443 tcp 0 0 192.168.1.200:443 0.0.0.0:* LISTEN 1752/haproxy
But a page will not render in a web page.
Unable to connect
Firefox can't establish a connection to the server at virtual.example.com.
And there is no activity in the haproxy debug logs when I hit the web page at this address which should map to that ip.
[root@VIRTCENT01:~] #host virtual.example.com virtual.example.com has address 192.168.1.200
Thanks in advance! tim
From: Tim Dunphy bluethundr@jokefire.com
I am attempting to load balance SSL web servers using haproxy on centos 5.7. I am using HA-Proxy version 1.4.18
Never used haproxy but maybe you want 'option ssl-hello-chk'... But search for "Since haproxy does not handle SSL" in their architecture (although old) doc... Anyway, you'd get more answers if you ask their mailing list...
JD
On Tue, 2011-10-18 at 02:52 +0000, Tim Dunphy wrote:
hello list,
I am attempting to load balance SSL web servers using haproxy on centos 5.7.
I am using HA-Proxy version 1.4.18
Here is the stanza in the config regarding SSL:
listen https 192.168.1.200:443 mode tcp balance roundrobin option forwardfor except 192.168.1.200 option redispatch maxconn 10000 reqadd X-Forwarded-Proto:\ https server web1 web1.summitnjhome.com:443 maxconn 5000 server web2 web2.summitnjhome.com:443 maxconn 5000
I can connect to https on each web server and have it serve content. the IP 192.168.1.200 is a virtual IP created with keepalived and floating between two load balancers.
I can connect to the virtual ip via openssl s_connect and GET / where i see the source code for the home page
<<<< snip >>>>
And the port 443 is being listened to..
[root@VIRTCENT02:~] #lsof -i :443 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME haproxy 1763 haproxy 6u IPv4 7586 TCP VIRTUAL.example.com:https (LISTEN)
[root@VIRTCENT01:~] #netstat -tulpn | grep 443 tcp 0 0 192.168.1.200:443 0.0.0.0:* LISTEN 1752/haproxy
But a page will not render in a web page.
Unable to connect
Firefox can't establish a connection to the server at virtual.example.com.
And there is no activity in the haproxy debug logs when I hit the web page at this address which should map to that ip.
[root@VIRTCENT01:~] #host virtual.example.com virtual.example.com has address 192.168.1.200
Thanks in advance!
---- I think your setup seems mostly ok but I ended up giving up on haproxy for SSL connections for a few reasons including limitations for handling/forwarding headers & source IP addresses. I also found it easier to use nginx (or apache I suppose) to handle the first connection (terminate the SSL connection for the browser as a proxy) and to use normal http for haproxy load balancing (which then can use http mode instead of tcp mode and forward added headers) to the actual web servers.
Craig
On Mon, Oct 17, 2011 at 10:52 PM, Tim Dunphy bluethundr@jokefire.com wrote:
hello list,
I am attempting to load balance SSL web servers using haproxy on centos 5.7.
I am using HA-Proxy version 1.4.18
Here is the stanza in the config regarding SSL:
listen https 192.168.1.200:443 mode tcp balance roundrobin option forwardfor except 192.168.1.200 option redispatch maxconn 10000 reqadd X-Forwarded-Proto:\ https server web1 web1.summitnjhome.com:443 maxconn 5000 server web2 web2.summitnjhome.com:443 maxconn 5000
I can connect to https on each web server and have it serve content. the IP 192.168.1.200 is a virtual IP created with keepalived and floating between two load balancers.
I can connect to the virtual ip via openssl s_connect and GET / where i see the source code for the home page
For now it's just a demo page with more complex content living deeper in the directory structure.
A port scan with nmap shows that port 443 is open...
And the port 443 is being listened to..
But a page will not render in a web page.
Firefox can't establish a connection to the server at virtual.example.com.
And there is no activity in the haproxy debug logs when I hit the web page at this address which should map to that ip.
[root@VIRTCENT01:~] #host virtual.example.com virtual.example.com has address 192.168.1.200
Thanks in advance! tim
You cannot use haproxy with SSL. You need to terminate the SSL connection before reaching haproxy, such as (already mentioned) using apache as a front end proxy. Then on the backend you need to connect to the node servers using http, not SSL (using SSL there is a waste of resources anyway).
HAproxy needs to be able to see the http traffic, and especially since you are using 'reqaddd' to add something into the stream. You can't do any of that using tcp mode, nor can you get any kind of session stickyness with tcp load balancing.
Tcp mode is only meant for things that keep a persistent connection, not http that uses multiple non-persistent connections.
-☙ Brian Mathis ❧-
On Tue, Oct 18, 2011 at 08:34:13AM -0400, Brian Mathis wrote:
You cannot use haproxy with SSL. You need to terminate the SSL connection before reaching haproxy, such as (already mentioned) using apache as a front end proxy.
apache.. or stunnel, or stux, or nginx, or <you name any other ssl capable frontend here>..
-- Pasi
-
Brian Mathis -
Craig White -
John Doe -
Pasi Kärkkäinen -
Tim Dunphy