Order of cloudflare.pem
-----BEGIN PRIVATE KEY-----
…
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
GNU nano 8.1 /etc/haproxy/haproxy.cfg M
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-curves X25519:prime256v1:secp384r1
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers ssl-min-ver TLSv1.3 no-tls-tickets
ssl-default-server-curves X25519:prime256v1:secp384r1
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options ssl-min-ver TLSv1.3 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http_front
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/cloudflare.pem alpn h2,http/1.1
http-request redirect scheme https unless { ssl_fc }
default_backend http_back
backend http_back
balance roundrobin
server web1 ip:8080 check
listen stats
bind *:1936
mode http
maxconn 10
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth admin:admin
root@meetxdroplet:~# systemctl status haproxy.service
● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; preset: enabled)
Active: active (running) since Wed 2025-03-26 22:26:52 UTC; 22min ago
Invocation: 71532a1a655943e59bed3fd277b241b4
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
Main PID: 9002 (haproxy)
Status: “Ready.”
Tasks: 2 (limit: 2317)
Memory: 44.2M (peak: 44.4M)
CPU: 383ms
CGroup: /system.slice/haproxy.service
├─9002 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock
└─9005 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -S /run/haproxy-master.sock
Mar 26 22:26:52 meetxdroplet systemd[1]: Starting haproxy.service - HAProxy Load Balancer…
Mar 26 22:26:52 meetxdroplet haproxy[9002]: [NOTICE] (9002) : New worker (9005) forked
Mar 26 22:26:52 meetxdroplet systemd[1]: Started haproxy.service - HAProxy Load Balancer.
Mar 26 22:26:52 meetxdroplet haproxy[9002]: [NOTICE] (9002) : Loading success.
Mar 26 22:27:32 meetxdroplet haproxy[9005]: 45.9.230.8:64936 [26/Mar/2025:22:27:32.107] http_front/2: SSL handshake failure
Mar 26 22:41:21 meetxdroplet haproxy[9005]: 45.9.230.8:65347 [26/Mar/2025:22:41:21.191] http_front/2: SSL handshake failure
I updated my HAProxy configuration, but requests are not reaching my backend servers.
Context: I’m running HAProxy 2.9 and trying to make https work