HAProxy community

Can't connect to HTTPS frontend

I get the following error when attempting to access the https frontend url. I have not been able to pin down the configuration needed to resolve this issue:

Can’t connect securely to this page

This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.

I have tried adding ssl force-tlsv* but still get the error. Any suggestions would be greatly appreciated.
( listen https_in :8443 ssl force-tlsv*)

root# haproxy -vv
HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
OPTIONS = USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

haproxy.cfg:

#---------------------------------------------------------------------

HTTPS Site Configuration

#---------------------------------------------------------------------
listen https_in :8443
mode tcp
balance source# Load Balancing algorithm
http-request set-header X-Forwarded-Proto https
server server1 :8443 weight 1 maxconn 512 ssl verify none check
server server2 :8443 weight 1 maxconn 512 ssl verify none check

This configuration is wrong for multiple reasons, SSL specific settings like ciphers or TLS versions are not your problem.

Can you explain what this configuration is supposed to achieve, especially regarding whether you want to pass SSL through or terminate on haproxy.

Thanks lukastribus, please bear with me I am new to HaProxy. I want the frontend to serve as a load balancer to the backend servers. To be honest I have no preference between SSL passthrough or termination. I just need to be able to access the https frontend. Could you explain what’s wrong with the configuration?
Thanks

You not using SSL on the frontend (and they old-style listen configuration doesn’t even permit that), but you are specifying SSL on the server lines, so what you are doing is you are encrypting an already encrypted payload.

Ok, then lets keep it simple, and use SSL passthrough:

Drop everything ssl and http related (you cannot add/set HTTP headers if you are only passing encrypted payload back and forth).

And let’s use a frontend/backend approach, not the old style listen configuration, it’s only a little longer and will probably be helpful later on:

frontend https_in
 bind :8443
 mode tcp
 default_backend https_servers

backend https_servers
 balance source
 server server1 :8443 weight 1 maxconn 512 check
 server server2 :8443 weight 1 maxconn 512 check

I updated the cfg as suggested but still get the same error when attempting to access the https frontend.

Below is my entire haproxy.cfg with IPs removed:

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
#option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend http_in
bind :80
mode http
default_backend http_servers

backend http_servers
balance roundrobin
option httpchk /as/ui
option forwardfor
option http-keep-alive
server server1 :8080 weight 1 maxconn 512 check
server server2 :8080 weight 1 maxconn 512 check

frontend https_in
bind :8443
mode tcp
option tcplog
default_backend https_servers

backend https_servers
balance source
server server1 :8443 weight 1 maxconn 512 check
server server2 :8443 weight 1 maxconn 512 check

What error? Outdated or unsafe TLS security settings? Other than the specific browser refusing the connection, does SSL work? What is the output of curl -vv https://... against haproxy?

Haproxy is not doing anything SSL/TLS related. You are transparently passing TCP packets back and forth, in this configuration, so if Outdated/unsafe TLS warning are the only problem, then you need to fix the backend servers (or intercept TLS instead of passing it through).

Yes, the outdated or unsafe security settings.

The results of the curl -vv against haproxy
*** Initializing NSS with certpath: sql:/etc/pki/nssdb**
*** CAfile: /etc/pki/tls/certs/ca-bundle.crt**
** CApath: none**
*** NSS error -12263 (SSL_ERROR_RX_RECORD_TOO_LONG)**
*** SSL received a record that exceeded the maximum permissible length.**
*** Closing connection 0**

I’m researching the curl error… what parameter would I need to use intercept TLS?

Well clearly SSL doesn’t work. SSL_ERROR_RX_RECORD_TOO_LONG means that you are not really connecting to a serrvice that responds with proper SSL, and that’s also the reason for the unsafe messages in the browser.

What does curl -vv https:// against the backend server on port 8443 show, without haproxy in the mix?

curl -vv for the https backend:

  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • CAfile: /etc/pki/tls/certs/ca-bundle.crt
    CApath: none
  • Server certificate:
  • NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
  • Issuer certificate is invalid.
  • Closing connection 0
    curl: (60) Issuer certificate is invalid.

curl -vv for the https backend with the --insecure flag

  • Initializing NSS with certpath: sql:/etc/pki/nssdb
  • skipping SSL peer certificate verification
  • SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • Server certificate:

GET /as/ui HTTP/1.1
User-Agent: curl/7.29.0
Host: :8443
Accept: /

< HTTP/1.1 302 Found
< Connection: keep-alive
< Vary: Accept-Encoding
< Strict-Transport-Security: max-age=600; includeSubDomains
< Location: https://:8443/as/ui/
< Content-Length: 0
< Date: Thu, 19 Mar 2020 18:29:22 GMT

Server names and related info has been removed. So, it looks like a certificate issue. Is there a parameter that will allow an insecure https connection?

No, it’s not. The output of the two curl calls are totally different.

Enable logging as per (just in tcpmode instead) and provide the output of the haproxy log while you are trying to make a HTTPS request.

I have stats enabled, didn’t think it was pertinent to share that section of the configuration for this issue. I have the output from the haproxy-access.log. Disclaimer, I have no experience with setting up proxy servers and I am not very knowledgeable when it comes to ssl. The Configuration manual (I have version 1.5.18 installed on RHEL 7.5) often leads to more questions than answers. Just let me know if you’re looking for something else from the log.

Mar 19 16:36:35 localhost haproxy[4478]: :51544 [19/Mar/2020:16:36:35.810] https_in https_servers/ -1/-1/4 187 PR 0/0/0/0/3 0/0
Mar 19 16:36:35 localhost haproxy[4478]: :51545 [19/Mar/2020:16:36:35.887] https_in https_servers/ -1/-1/0 187 PR 0/0/0/0/3 0/0
Mar 19 16:36:36 localhost haproxy[4478]: :51549 [19/Mar/2020:16:36:36.863] https_in https_servers/ -1/-1/0 187 PR 0/0/0/0/3 0/0
Mar 19 16:36:36 localhost haproxy[4478]: :51550 [19/Mar/2020:16:36:36.939] https_in https_servers/ -1/-1/0 187 PR 0/0/0/0/3 0/0
Mar 19 16:36:37 localhost haproxy[4478]: :51552 [19/Mar/2020:16:36:37.240] https_in https_servers/ -1/-1/5 187 PR 0/0/0/0/3 0/0
Mar 19 16:36:37 localhost haproxy[4478]: :51553 [19/Mar/2020:16:36:37.316] https_in https_servers/ -1/-1/0 187 PR 0/0/0/0/3 0/0
Mar 19 16:36:37 localhost haproxy[4478]: :51560 [19/Mar/2020:16:36:37.904] https_in https_servers/ -1/-1/0 187 PR 2/2/2/0/3 0/0
Mar 19 16:36:37 localhost haproxy[4478]: :51559 [19/Mar/2020:16:36:37.905] https_in https_servers/ -1/-1/0 187 PR 1/1/1/0/3 0/0
Mar 19 16:36:37 localhost haproxy[4478]: :51558 [19/Mar/2020:16:36:37.904] https_in https_servers/ -1/-1/0 187 PR 0/0/0/0/3 0/0
Mar 19 16:36:37 localhost haproxy[4478]: :51563 [19/Mar/2020:16:36:37.972] https_in https_servers/ -1/-1/0 187 PR 2/2/2/0/3 0/0
Mar 19 16:36:37 localhost haproxy[4478]: :51562 [19/Mar/2020:16:36:37.972] https_in https_servers/ -1/-1/0 187 PR 1/1/1/0/3 0/0
Mar 19 16:36:37 localhost haproxy[4478]: :51561 [19/Mar/2020:16:36:37.972] https_in https_servers/ -1/-1/0 187 PR 0/0/0/0/3 0/0
Mar 19 16:36:38 localhost haproxy[4478]: :51567 [19/Mar/2020:16:36:38.041] https_in https_servers/ -1/-1/0 187 PR 0/0/0/0/3 0/0
Mar 19 16:36:38 localhost haproxy[4478]: :51568 [19/Mar/2020:16:36:38.108] https_in https_servers/ -1/-1/0 187 PR 0/0/0/0/3 0/0
Mar 19 16:36:38 localhost haproxy[4478]: :51570 [19/Mar/2020:16:36:38.260] https_in https_servers/ -1/-1/5 187 PR 0/0/0/0/3 0/0
Mar 19 16:36:38 localhost haproxy[4478]: :51571 [19/Mar/2020:16:36:38.340] https_in https_servers/ -1/-1/0 187 PR 0/0/0/0/3 0/0
Mar 19 16:36:38 localhost haproxy[4478]: :51573 [19/Mar/2020:16:36:38.488] https_in https_servers/ -1/-1/4 187 PR 0/0/0/0/3 0/0
Mar 19 16:36:38 localhost haproxy[4478]: :51574 [19/Mar/2020:16:36:38.564] https_in https_servers/ -1/-1/0 187 PR 0/0/0/0/3 0/0

backend https_servers also needs mode tcp, that’s why we see PR return codes here.

That was it. Thank you so much for all of your help!!

1 Like