AWS NLB -> HA TCP (sni) -> ALB (Certs Term SSL)


#1

Anyone have done the Configuration that I am stating in here? I tried with version 1.8.8 / 1.8.9

Somehow it seems, the connection gets established ( and uses H2 protocol but at some point in the requests some https requests fails stating invalid ssl response type of thing )

frontend marathon_https_proxy_in
    bind-process  2
  
  bind *:442 # accept-proxy (cannot use accept proxy?)
  mode tcp

  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }
  acl simpletest req.ssl_sni -i a.domain.i.own.com  # ext1
  use_backend alb_external_ssl if simpletest req.ssl_sni # ext2

backend alb_external_ssl
  mode tcp
  option ssl-hello-chk
  default-server init-addr none resolvers dns resolve-prefer ipv4
  server amazon-internal-alb-1 testalb.us-east-1.elb.amazonaws.com:443 resolvers dns resolve-prefer ipv4
  server amazon-internal-alb-2 testalb.us-east-1.elb.amazonaws.com:443 resolvers dns resolve-prefer ipv4

Is something like this supposed to work ? I believe ALB doesn’t supports proxy protocol (yet) so unfortunately the IP of the original request is lost also…

Any inputs would be interesting if anyone else have tried that.


#2

use_backend alb_external_ssl if simpletest req.ssl_sni # ext2

use_backend alb_external_ssl if simpletest


#3

err yes, i miscopy/pasted edited. but that is how my ruleset are.


#4

The actual error I receive after few (http2 requests ) is : " Failed to load resource: net::ERR_SSL_PROTOCOL_ERROR "


#5

I figured out with multiple different configs, that at first it works, then after few requests it receives ERR_SSL_PROTOCOL_ERROR and at some point the worker process dies also…

This was using the latest 1.9-dev from github. I believe it probably have something to do with http/2

I dont think HA Proxy (without the SSL on it) can tell to only use http 1.1 protocol ?


#6

Unless you want to test a particular feature or bugfix, I suggest you use a stable relase from haproxy.org instead (1.8.13 currently). There is no point in running a development release otherwise.

How do you know its H2? Where do you see this error, the browser?

You have provided a very limited picture of what you are trying to do and I am not sure what you mean here.

Please explain what the entire setup is supposed to accomplish and share the complete configuration.

And why does it exit? Does it segfault, does it get oom-killed?


#7

Actually some of the latest Http H2 fixed the issue.

All good now.