Cannot proxy websocket connection in HAproxy

Help!
1

I’m trying to proxy wss websocket connection from HAproxy to wss://demo.piesocket.com/v3/channel_1?api_key=oCdCMcMPQpbvNjUIzqtvF1d2X2okWpDQj4AwARJuAgtjhzKxVEjQU6IdCjwm&notify_self, but seems failing to achieve it due to “ssl handshake failure” error. I’m using self signed certificate.

In haproxy logs I can see errors:

“ssl handshake failure”

How I can resolve this and simply proxy Websockets on HTTPS from the root. (e.g. wss:///) to wss mentioned above?

Here is my code:

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
#   ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
#   ssl-default-bind-options no-sslv3

defaults
    log global
    mode    http
    option  httplog
    option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http


frontend haproxy
    bind *:80
#    bind *:443 ssl crt /etc/ssl/private/mydomain.pem
    bind *:443 ssl crt /etc/ssl/private/test.pem
    option tcplog

    monitor-uri /healthcheck
    monitor fail if { nbsrv(tomcat) eq 0 }

    http-request redirect scheme https unless { ssl_fc }

    acl is_root path -i /
    redirect location /hello/ImageServlet if is_root
    default_backend tomcat

    acl is_websocket hdr(Upgrade) -i WebSocket
    acl is_websocket hdr_beg(Host) -i wss
    use_backend websocket if is_websocket

backend tomcat
    balance roundrobin
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    option httpchk GET /hello/ImageServlet
    server node1 172.20.135.79:8080 check
    server node2 172.20.136.121:8080 check

backend websocket
    balance source
    option http-server-close
    option forceclose
    option tcplog
    option tcp-check
#    option ssl-hello-chk
#    http-request add-header X-Forwarded-Proto https if { ssl_fc }
 #   http-request set-header Host demo.piesocket.com
 #   http-request set-path /v3/channel_1?api_key=oCdCMcMPQpbvNjUIzqtvF1d2X2okWpDQj4AwARJuAgtjhzKxVEjQU6IdCjwm&notify_self
   server websocket1 demo.piesocket.com:443 verify none redir wss://demo.piesocket.com/v3/channel_1?api_key=oCdCMcMPQpbvNjUIzqtvF1d2X2okWpDQj4AwARJuAgtjhzKxVEjQU6IdCjwm&notify_self 
  #  server websocket1 demo.piesocket.com:443 verify none
4

Have you manged to fix the websocket connection? Please share the details. Thx in advance