Certificate/SSL termination problem


Hello, experts.
I am configuring haproxy for load balancing between 2 websites. Websites are secured with https self-signed certs only.
I believe I configured haproxy in pass-through mode. For frontend I am using http with redirect, but it is not a requirement.

With my current setup I have to accept certificates with every new session.
It is very annoying. I want to accept certificates only 1 time. Please have a look at my config and suggest what I am doing wrong.
Thank you

#------------------- GLOBAL SETTINGS ---------------------------
log local0
log local1 notice
log local0 debug
maxconn 4096
user haproxy
group haproxy

# Default SSL material locations
  ca-base /etc/ssl/certs
crt-base /etc/ssl/private
tune.ssl.default-dh-param 4096

log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
timeout http-request 5s
option forwardfor
option http-server-close

            #------------------- FRONTEND HTTP ---------------------------

frontend http_in
mode http
option httplog

   bind *:80
stats enable

acl inter_acl hdr(Host) -i inter.apprenti.com
reqrep ^GET\ /\ HTTP/1.1 ^GET\ /zim-interaction-server-front/\#/call/5746cc51e4b0c2b2ea4be41a/2001\ HTTP/1.1  if inter_acl
redirect scheme https if { hdr(Host) -i inter.apprenti.com } !{ ssl_fc }
            #------------------- FRONTEND TCP ---------------------------

frontend tcp_in
mode tcp
option tcplog
bind *:8444
bind *:8445
bind *:443

   tcp-request inspect-delay 5s
   tcp-request content accept if { req.ssl_hello_type 1 }
    acl inter_acl req.ssl_sni -i inter.apprenti.com
    use_backend special_Interaction if inter_acl

backend special_Interaction
mode tcp
option tcplog
balance roundrobin

# maximum SSL session ID length is 32 bytes.
    stick-table type binary len 32 size 30k expire 30m

    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
   tcp-request inspect-delay 5s
   tcp-request content accept if clienthello

# no timeout on response inspect delay by default.
    tcp-response content accept if serverhello
    server Interaction1 check 
    server Interaction2 check 

SSL session ID (SSLID) may be present on a client or server hello.

Its length is coded on 1 byte at offset 43 and its value starts

at offset 44. Match and learn on request if client hello.

   stick on payload_lv(43,1) if clienthello

Learn on response if server hello.

    stick store-response payload_lv(43,1) if serverhello


This is because you are using the same IP/DNS name to access the server, but the actual backend system is changing. Your browser see’s this as a changed certificate and shows the error.

Why don’t you just import the self signed certificates into your trust store?


Thank you for your reply. Just to clarify, I should import certificates from backend servers to haproxy trust store? or to my browser?


1.)Export the certificate from the backend server
2.)Import the certificate into the trusted store of any client you wish to avoid errors.

HAProxy does NOT need the certificate