[CentOS] haproxy ssl

Tue Oct 18 02:52:44 UTC 2011
Tim Dunphy <bluethundr at jokefire.com>

hello list,

 I am attempting to load balance SSL web servers using haproxy on centos 5.7.

 I am using HA-Proxy version 1.4.18 


  Here is the stanza in the config regarding SSL:

   listen https 192.168.1.200:443
        mode tcp
        balance roundrobin
        option forwardfor except 192.168.1.200
        option redispatch
        maxconn 10000
        reqadd X-Forwarded-Proto:\ https
        server web1 web1.summitnjhome.com:443  maxconn 5000
        server web2 web2.summitnjhome.com:443  maxconn 5000

I can connect to https on each web server and have it serve content. the IP 192.168.1.200 is a virtual IP created with keepalived and floating between two load balancers.


 I can connect to the virtual ip via openssl s_connect and GET / where i see the source code for the home page

  
 openssl s_client -connect 192.168.1.200:443


CONNECTED(00000003)
---
Certificate chain
 0 s:/C=US/ST=NJ/L=Summit/O=SNJH/CN=*.example.com/emailAddress=bluethundr at example.com
   i:/C=US/ST=NJ/L=Summit/O=SNJH/CN=*.example.com/emailAddress=bluethundr at example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFejCCA2ICCQCjGRFk9cQ13zANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJV
UzELMAkGA1UECBMCTkoxDzANBgNVBAcTBlN1bW1pdDENMAsGA1UEChMEU05KSDEb
MBkGA1UEAwwSKi5zdW1taXRuamhvbWUuY29tMSYwJAYJKoZIhvcNAQkBFhdibHVl
dGh1bmRyQGpva2VmaXJlLmNvbTAeFw0xMTA5MjUwMjU4NTRaFw0xMjA5MjQwMjU4
NTRaMH8xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOSjEPMA0GA1UEBxMGU3VtbWl0
MQ0wCwFAKEFDATA4Yj2LgSBwxezlE
CMmqfE0Sg0lgKe3jmyzNHCAHGrzMKVdIUW7UBI+V4wZyE08Mw3HUh13To6DzBnmp
ET+zvFk5uUnbpzk3FWYFPPxiESuIEQKmi+MzrPnM6hjKc+Caq7rBxdWvg0d8eNsN
t2+UJxTJpnucgnAtIbAktNlsbYhb4Yw9iFs1YecPqvtaS22ZsChmlDAwpQYhn88p
OK+K9qOg8bMYThe6xPaAK1sMk+YfmhSPIaT974FYSIeFeY8fFa8zIZbiUcSxOnyM
fI/xh2uMwJkpxzHBXJWQxP3LZlgghSyuzL9j/g16xLZ3BotYwTGqHzMuoDVXQijq
92YTmeSl5bPaNro1stExh4ug+zk2IqrowciZ1Ehk1vQKCl31GjLKFX1P3fhwjt0o
/lQBnIgRtBFSI9RVP41+PTPjXXVzhqlgf3h1oFJ36sOQeg8342Hu0UWFg6gpy+q/
7iyuVV0CAwEAATANBgkqhkiG9w0BAQUFAAOCAgEABdQxDHPkpQV+A1RnwGP9nGNC
1uR+MTnuuowiUIEsTkSTipSlviVHlJx8CYDkQ3kcBiPJk6SjuOT8WrFu9D7+nAr8
7SNGknoe7flxhxI0fIqeLaQIncEAliv5mzw/agj2htn7GTmhP3At+JD3e3FYCrLI
kUoom53wLzJvoSu2ixBdY9yLQePC5AYBIlI6RVyCLMPQVen0fvgI7Ecyx+vvpjvD
Cu+rnGKxplPwROlFe2NPrLrV7pnGYGNcLSkO5fF32b3XvKob+xRG+rCUvmYtHA6y
6lEOBz8prwfc6ZTum+9vpb5ONmWtSaYn7mjPR/jw55kLSZ+NggW5YH6lqL8jb8b0
kNHZKgInSFSmoMY2W7pEq4ZQ5S8m5VrruBzqXNnCJ5NmQqF8bM97k81ATZoZ+r6z
oo51BfFGJSQdnGJNDJnBnl7bf9ynSbkYV3VidRNGHm+Gr/YYP32ITihlZLTioCmk
Wt+2x0xRk5jUS+MjCn5ozYTph3PxU/wW913+HCjDzx0g4fDLYW+YbWmV4zdls/Z7
pxdYaFDR594Ov1H7E2wPZeWBmR+7kT2ZFwOXVQb0qF2Dx5Q0dbZ9TEu8rTJ7jdjD
he/odOx11Qmiau/UYd5c0Pop6dJu3NhnlromNSAKR5QlTWE4UerOOyxwV+OklsDt
8qijXOiRdqk4efqL4cs=
-----END CERTIFICATE-----
subject=/C=US/ST=NJ/L=Summit/O=SNJH/CN=*.example.com/emailAddress=bluethundr at example.com
issuer=/C=US/ST=NJ/L=Summit/O=SNJH/CN=*.example.com/emailAddress=bluethundr at example.com
---
No client certificate CA names sent
---
SSL handshake has read 2361 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 74AE373F9F177593D9CF8FFDFE2EDEB6C11958BF03E5315FC49C0641A17A6277
    Session-ID-ctx: 
    Master-Key: E4C07C8D40B045FB30F612966F587AC30E3859913795B22D586D598F9EB3FE5BD97F6511920793E29EA363FE9A3961DD
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1318902076
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
<html>
<head>
<img src='Illustration.jpg'</img>
</head>
</html>
closed

  For now it's just a demo page with more complex content living deeper in the directory structure. 

  A port scan with nmap shows that port 443 is open...


 [root at VIRTCENT02:~] #nmap -p 443 192.168.1.200

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-10-17 21:59 EDT
Interesting ports on 192.168.1.200:
PORT    STATE SERVICE
443/tcp open  https


And the port 443 is being listened to..

  [root at VIRTCENT02:~] #lsof -i :443
COMMAND  PID    USER   FD   TYPE DEVICE SIZE NODE NAME
haproxy 1763 haproxy    6u  IPv4   7586       TCP VIRTUAL.example.com:https (LISTEN)

[root at VIRTCENT01:~] #netstat -tulpn | grep 443
tcp        0      0 192.168.1.200:443           0.0.0.0:*                   LISTEN      1752/haproxy


 But a page will not render in a web page. 

  Unable to connect
      
   Firefox can't establish a connection to the server at virtual.example.com.   

 And there is no activity in the haproxy debug logs when I hit the web page at this address which should map to that ip.

 [root at VIRTCENT01:~] #host virtual.example.com
virtual.example.com has address 192.168.1.200

Thanks in advance!
tim