HAProxy community

Backend using https on different port


#1

Hello, we have backend servers that responds to something like

https://servername1.domain.com:9900/someurl
https://servername2.domain.com:9900/someurl

I’m having a hard time figuring out how to get it to work. I’d like to hit http://haproxy.domain.com/someurl, or even http://haproxy.domain.com:9900/someurl.

I’ve tried every iteration that I can find in the haproxy.conf, but nothing seems to work.

This is my current config, which I know is incorrect, but just to let you know where I’m at:

frontend localnodes
bind *:80
bind *:9900
option tcplog
mode tcp
default_backend nodes

backend nodes
mode tcp
balance roundrobin
option tcp-check
server servername1 12.12.12.12:9900 check


#2

I don’t see anything wrong with your configuration, I assume the problem is elsewhere.

First of all: what’s happening when you do the above? Any error messages from browser/curl?

Also, what’s the output from the equivilant of:

curl -v http://12.12.12.12:9900/someurl

Your backend server may require a particular Host header for example.


#3

I can hit my backend servers through a browser just fine. On the HAProxy machine, I can curl successfully to the backend servers as well and get the expected response. I the configuration I put above, there was no browser output. I’ve changed it to the following:

frontend localnodes
bind 192.168.231.236:9900
mode tcp
default_backend nodes

backend nodes
server servername1 12.12.12.12:9900 check ssl verify none

And I get 502 Bad Gateway
The server returned an invalid or incomplete response.

I’d like to leave certificates out of haproxy, and just have it pass everything to the backend. I apologize in advance for switching the config around, just trying anything at this point :slight_smile:


#4

Is the 9900 port on your backend server HTTPS?

What this test was supposed to show is whether you can curl to your backend server by using the ip address only, instead of the hostname, to check whether or not the backend server needs Host header or SNI.

Does it work when you curl with the IP address only?

Please remove the check keyword from the server configuration for now; you don’t need another variable in there if nothing works in the first place.

I also suggest you logging in haproxy.


#5

Understood. I’m able curl to the back side machine via both ip address and hostname, as well as fqdn

Done, no change.

I’m working on that now. Thank you for the assistance!


#6

This may be a SSL issue at this point. Can you provide the output of haproxy -vv as well as your default/global configuration? The (successful) curl -v output regarding the SSL handshake would help as well as ultimately a tcpdump capture between haproxy and the backend server (something like tcpdump -pns0 -w ssl.cap port 9900).