HA proxy as reverse proxy - 502 bad gateway error


#1

We are trying to configure ha proxy to act as reverse proxy for a SSL/TLS Pass-Through design and now we are getting below error when trying to access the site.

502 Bad Gateway
The server returned an invalid or incomplete response.

Looks like a certificate issue but how do I fix this ? when I am running a openssl s_client command, I am getting the message

verify error:num=19:self signed certificate in certificate chain
I also tried running the curl command and the output is as attached. can anyone please help ?

image


#2

Share the configuration please. Did you install a valid certificate on haproxy?

The curl call is wrong:
curl -A **curl** -vvv ....


#3

I think I did by following other articles over the web. How do I verify if I have a valid cert on HA proxy and it’s at a proper place ?


#4

I ran the curl call as per your post, this is what I get now,

~]# curl -A -vvv https:
curl: (77) error setting certificate verify locations:
CAfile: /usr/share/ssl/certs/ca-bundle.crt
CApath: none


#5

I need you to share the haproxy configuration.

If you didn’t pay money for the certificate, and you didn’t setup a let’s encrypt verification, you don’t have a valid cert. You are also talking about SSL pass-through, so I don’t know what you would like to do, and I also do not know what you have actually configured.

So, please do share your configuration.


#6

We pay for the cert and I have the cert with me. We also created a .pem file from the cert and uploaded to /usr/share/ssl/certs/ and at /usr/local/share/ca-certificates/ . here’s my config file

global
maxconn 4096
user HRIS_HAProxy
group HRIS_HAProxy
daemon

defaults
mode https
option forwardfor
option httplog
log 127.0.0.1 local0 notice
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000

frontend http_fe

    mode http
    bind *:443
    default_backend sharepoint

backend sharepoint
balance roundrobin
option ssl-hello-chk
#option redispatch
mode tcp
cookie SERVERID insert nocache
server sharepointserver sharepointserverip:443 check


#7

So, now you need to decide what you would like to do with haproxy.

Would you like to forward port 443 to the sharepoint server, and let the sharepointserver handle SSL/HTTPS? So Haproxy does not intervene and just forwards?

Or do you want to intercept SSL on haproxy and forward HTTP to the sharepointserver?

Your configuration is wrong either way:

  • there is no mode https as you declared in the defaults section
  • you have mode http in the frontend but mode tcp in the backend. Use mode tcp everywhere (or just put it in the default section) to pass-through SSL

#8

Ok, so I corrected that. Changed mode to http in default and changed to tcp in frontend and backend. Still the site doesnt work… same 502 bad gateway… anything I am still missing ? Sorry I am just new HA proxy and linux altogether…


#9

Why mode http in the default section? Use something like this:

global
 maxconn 4096
 user HRIS_HAProxy
 group HRIS_HAProxy
 daemon

defaults
 mode tcp
 log 127.0.0.1 local0 notice
 maxconn 2000
 timeout connect 5000
 timeout client 50000
 timeout server 50000

frontend http_fe
 bind *:443
 default_backend sharepoint

backend sharepoint
 balance roundrobin
 option ssl-hello-chk
 server sharepointserver sharepointserverip:443 check

#10

Ok, made the changes per your post but still same error… any idea what should I do next ?


#11

Check haproxy logs, you are syslogging to 127.0.0.1 after all.

I assume to healthcheck may not work. Try removing the check keyword to confirm.