Hello, experts.
I am configuring haproxy for load balancing between 2 websites. Websites are secured with https self-signed certs only.
I believe I configured haproxy in pass-through mode. For frontend I am using http with redirect, but it is not a requirement.
With my current setup I have to accept certificates with every new session.
It is very annoying. I want to accept certificates only 1 time. Please have a look at my config and suggest what I am doing wrong.
Thank you
#------------------- GLOBAL SETTINGS ---------------------------
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
log 127.0.0.1 local0 debug
maxconn 4096
user haproxy
group haproxy
daemon
# Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private
tune.ssl.default-dh-param 4096
defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
timeout http-request 5s
option forwardfor
option http-server-close
#------------------- FRONTEND HTTP ---------------------------
frontend http_in
mode http
option httplog
bind *:80 stats enable acl inter_acl hdr(Host) -i inter.apprenti.com reqrep ^GET\ /\ HTTP/1.1 ^GET\ /zim-interaction-server-front/\#/call/5746cc51e4b0c2b2ea4be41a/2001\ HTTP/1.1 if inter_acl
redirect scheme https if { hdr(Host) -i inter.apprenti.com } !{ ssl_fc }
#------------------- FRONTEND TCP ---------------------------
frontend tcp_in
mode tcp
option tcplog
bind *:8444
bind *:8445
bind *:443
tcp-request inspect-delay 5s tcp-request content accept if { req.ssl_hello_type 1 }
acl inter_acl req.ssl_sni -i inter.apprenti.com use_backend special_Interaction if inter_acl
backend special_Interaction
mode tcp
option tcplog
balance roundrobin
# maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 30k expire 30m acl clienthello req_ssl_hello_type 1 acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s tcp-request content accept if clienthello # no timeout on response inspect delay by default.
tcp-response content accept if serverhello server Interaction1 172.31.14.158:443 check server Interaction2 172.31.14.156:443 check
SSL session ID (SSLID) may be present on a client or server hello.
Its length is coded on 1 byte at offset 43 and its value starts
at offset 44. Match and learn on request if client hello.
stick on payload_lv(43,1) if clienthello
Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello