Any issues doing reverse proxy to a backend SSL connection?


#1

I am working through an issue where I can’t quite get HAProxy 1.7 to properly reverse proxy to a non-SSL connection to the backend server (Tomcat server on port 8090). The config line that fails is:
server <myhost.domain.com>:8090 maxconn 1000

However, if I configure HAProxy to proxy to an SSL connection on the backend server (port 8443) using the following line, it proxies without issue:
server <myhost.domain.com>:8443 ssl verify none cookie s1 maxconn 1000

Is there any downside to proxying a front end SSL (443) to a backend SSL connection (8443)?


#2

A few questions?

  • exactly what does fail mean? What error do you see?
  • what does curl -vv http://myhost.domain.com:8090 from the haproxy instance show?
  • why don’t you configure the cookie setting in the plaintext case?
  • what does the rest of the configuration, especially the frontend look like?

Certainly more load on the proxy and your backend comes to mind.


#3

The error is that the browser comes back saying “Error 503 Service Unavailable. No server is available to handle this request.”

The result of curl is as follows:

GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: <myhost.domain.com>:8090
Accept: /

< HTTP/1.1 302 Found
< Server: Apache-Coyote/1.1
< X-ASEN: SEN-10676748
< X-Confluence-Request-Time: 1517928298289
< X-Confluence-Cluster-Node: 386cbf39
< Set-Cookie: JSESSIONID=A13A927C9326F53452F421FFFA9C7E81; Path=/; Secure; HttpOnly
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: frame-ancestors ‘self’
< Location: /login.action?os_destination=%2Findex.action&permissionViolation=true
< Content-Type: text/html;charset=UTF-8
< Content-Length: 0
< Date: Tue, 06 Feb 2018 14:44:58 GMT
<

The front end configuration is as follows:

frontend confluence_http_insecure
bind *:80
redirect scheme https if !{ ssl_fc }

frontend confluence_http_secure
mode http
bind *:443 ssl crt /etc/pki/tls/keystore/.pem
reqadd X-Forwarded-Proto:\ https
reqadd X_Forwarded-Port:\ 443
default_backend confluence_http_backend


#4

Additionally, this is what the Tomcat configuration looks like:

   <Connector port="8090">
             connectionTimeout="20000"
             redirectPort="8443"
             maxThreads="48" minSpareThreads="10"
             enableLookups="false"
             acceptCount="10"
             debug="0"
             URIEncoding="UTF-8"
             protocol="org.apache.coyote.http11.Http11NioProtocol"
             secure="true"
             scheme="https"
             proxyName="<myhost.domain.com>"
             proxyPort="443" />

#5

Can you provide the “curl -vv” output against the frontend when the issue occurs (showing the 503 error) and can you provide the log message from haproxy (see example logging configuration)?


#6

Here is the results of curl -vv <myhost.domain.com> I can’t determine if the 503 is being generated from the backend server, or the HAProxy:

About to connect() to <myhost.domain.com> port 443 (#0)
Trying 10.20.5.81…
Connected to wiki.corp.xperi.com (10.20.5.81) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Server certificate:
subject: CN=*.<mydomain.com,OU=Business Technologies,O=,L=San Jose,ST=CA,C=US
start date: Oct 31 00:00:00 2017 GMT
expire date: Nov 04 12:00:00 2020 GMT
common name: *.corp.xperi.com
issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
GET / HTTP/1.1
User-Agent: curl/7.29.0
Host: <myhost.domain.com>
Accept: /

HTTP 1.0, assume close after body
HTTP/1.0 503 Service Unavailable
Cache-Control: no-cache
Connection: close
Content-Type: text/html

503 Service Unavailable

No server is available to handle this request. Closing connection 0

#7

Its haproxy that is generating the 503. That’s why we need to see the haproxy log.


#8

All the haproxy logging that I’m getting from the /var/log/syslog on the machine (CentOS 7.x) is the following:
2018-02-05T20:25:31-08:00 localhost haproxy[22525]: Proxy confluence_http_insecure started.
2018-02-05T20:25:31-08:00 localhost haproxy[22525]: Proxy confluence_http_secure started.
2018-02-05T20:25:31-08:00 localhost haproxy[22525]: Proxy confluence_http_backend started.
2018-02-05T20:28:03-08:00 localhost haproxy[22556]: Proxy confluence_http_insecure started.
2018-02-05T20:28:03-08:00 localhost haproxy[22556]: Proxy confluence_http_secure started.
2018-02-05T20:28:03-08:00 localhost haproxy[22556]: Proxy confluence_http_backend started.
2018-02-05T20:29:24-08:00 localhost haproxy[22577]: Proxy confluence_http_insecure started.
2018-02-05T20:29:24-08:00 localhost haproxy[22577]: Proxy confluence_http_secure started.
2018-02-05T20:29:24-08:00 localhost haproxy[22577]: Proxy confluence_http_backend started.


#9

Please configure it like in this example here:


#10

You’re referring to just changing:
global
log 127.0.0.1 local2 info

to:
global
log 127.0.0.1 syslog debug

And this is the compatible syntax for CentOS 7.x?


#11

No, you need all of them.