Backend 80 and 433 mixed

Help!
1

I have some servers behind the haproxy on the same network with ssl offloading working properly.
Now I’m adding to this backend a remote aws server. This is what I’m adding with no lucky for backend

backend awsmix
balance leastconn
cookie PHPSESSID prefix nocache
server web1 10.0.0.1:80 cookie 0F12 check weight 20
server web2 10.0.0.2:80 cookie D274 check weight 20
server awsa mydomain.com:443 cookie 8S5Q check weight 10

I’m as server awsa is out my datacenter I wanna to be ssl connection. Any case I can’t see any request reaching the “server awsa”

Someone has this setting working? thanks

2

Hello,

First of all, are you able to resolve the “mydomain.com” from your haproxy server? (if no it’s a DNS resolution issue)
You can check it with:

nslookup mydomain.com

If yes, could you perform the following command:

telnet mydomain.com 443

Then if it doesn’t work, it could be related to firewalling

Regards

3

Hi julinux

Good point, and Yes my haproxy server reach/resolve the domain name and no fw on the destination server for 80 nor 443 ports. And tested as you proposed

Have you other idea?
thanks in advance

4

Ok that’s a good start :slight_smile:
Now have you tried to force your traffic only to your aws server by commenting out the two other nodes to see what happens?
I see it has a lower weight, you could also try to increase it in order to have more chance to be redirected to it.

5

I got it working by changing the server line as

server awsa mydomain.com:443 cookie 8S5Qcheck check-ssl verify none weight 15

but this was not my intend as I wanna to get ssl validation not the " verify none" option.

Removing the " verify none" and adding

server awsa mydomain.com:443 cookie 8S5Q check ssl verify required ca-file /etc/ssl/ca.crt weight 15

This is failling, where ca.crt is the file from the issuer that i got here: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt. This CA works for me on command line but not allow me to get working this server on the backend.

6

When using

server awsa mydomain.com:443 cookie 8S5Q check ssl verify required ca-file /etc/ssl/ca.crt weight 15

What do you get in return? Is the server seen as available or not in haproxy stats (if you enabled it)
When you say it is failing, what do you see?
Also If you use ssl I think you should specify the port in your check option like:

check port 443 ssl verify required ca-file /etc/ssl/ca.crt weight 15