[CentOS] haproxy ssl

Tue Oct 18 12:34:13 UTC 2011
Brian Mathis <brian.mathis+centos at betteradmin.com>

On Mon, Oct 17, 2011 at 10:52 PM, Tim Dunphy <bluethundr at jokefire.com> wrote:
> hello list,
>
>  I am attempting to load balance SSL web servers using haproxy on centos 5.7.
>
>  I am using HA-Proxy version 1.4.18
>
>  Here is the stanza in the config regarding SSL:
>
>   listen https 192.168.1.200:443
>        mode tcp
>        balance roundrobin
>        option forwardfor except 192.168.1.200
>        option redispatch
>        maxconn 10000
>        reqadd X-Forwarded-Proto:\ https
>        server web1 web1.summitnjhome.com:443  maxconn 5000
>        server web2 web2.summitnjhome.com:443  maxconn 5000
>
> I can connect to https on each web server and have it serve content. the IP 192.168.1.200 is a virtual IP created with keepalived and floating between two load balancers.
>
>  I can connect to the virtual ip via openssl s_connect and GET / where i see the source code for the home page
>
>  For now it's just a demo page with more complex content living deeper in the directory structure.
>
>  A port scan with nmap shows that port 443 is open...
>
> And the port 443 is being listened to..
>
>  But a page will not render in a web page.
>
>   Firefox can't establish a connection to the server at virtual.example.com.
>
>  And there is no activity in the haproxy debug logs when I hit the web page at this address which should map to that ip.
>
>  [root at VIRTCENT01:~] #host virtual.example.com
> virtual.example.com has address 192.168.1.200
>
> Thanks in advance!
> tim


You cannot use haproxy with SSL.  You need to terminate the SSL
connection before reaching haproxy, such as (already mentioned) using
apache as a front end proxy.  Then on the backend you need to connect
to the node servers using http, not SSL (using SSL there is a waste of
resources anyway).

HAproxy needs to be able to see the http traffic, and especially since
you are using 'reqaddd' to add something into the stream.  You can't
do any of that using tcp mode, nor can you get any kind of session
stickyness with tcp load balancing.

Tcp mode is only meant for things that keep a persistent connection,
not http that uses multiple non-persistent connections.


-☙ Brian Mathis ❧-