HAProxy L4 VIP for LDAP backend

DarKsh · July 25, 2024, 2:35pm

Hi everyone,

Sorry to post for this, but I’m loosing it trying to understand what’s happening with a very simple use-case that is not working as expected.
I’m working with HAProxy v3.0.2-a45a8e6 on RHEL8 and openLdap backend listening on port 636. HAproxy’s health-check is working properly, OpenLDAP is also working correctly.

I did a very very (very) basic configuration for HAProxy to provide a TCP LB with one backend (!) :

global
    log         /dev/log local0
    user        haproxy
    group       haproxy
    daemon

defaults
    mode tcp

frontend loadbalancer-ldap
    bind :636
    default_backend openldap

backend openldap
    balance     roundrobin
    server openldap1 <openldap1.fqdn>:636 ssl verify none

From the openldap server, with ldap client, I can connect to <openldap1.fqdn>:636 with ldaps scheme, but I can’t connect to haproxy.fqdn:636 (Can’t contact LDAP server (-1))
From the same openldap server, with openssl s_client to <openldap1.fqdn>:636, I can see the certificate provided by the server, but I got 0 bytes received from SSL handshake with openssl s_client to haproxy.fqdn:636
From the same openldap server, I can netcat haproxy.fqdn on port 636 (so machine and port are reachable)

Despite the warning on timeouts for client, server and connect, a check of configuration file is okay (but warning states that it should work, and actually I got a parallel config file which is the original and complete one where they are set and that is not working either).

I’m loosing my mind on this, hope I may find help here

Thanks in advance for the help !

lukastribus · July 25, 2024, 5:53pm

Your intention is to connect port 636 on the frontend to 636 on the backend server - as is.

However you configured haproxy to encrypt the traffic again, with another layer of ssl, by using the ssl keyword on the backend server configuration line, so haproxy will take the already encrypted traffic from the frontend, and reencrypt it with another ssl layer.

Your configuration must not contain the ssl keyword at all.

DarKsh · July 26, 2024, 10:13am

With the keyword “ssl”, I was trying to inform haproxy that the backend communication for health check had to be through SSL.
Indeed, replacing it with “check-ssl” did the trick, rookie mistake

Too bad the check of configuration file doesn’t seem to verify that “ssl” keyword on a backend server is associated with proper keyword(s) in the corresponding frontend to ensure proper decryption at frontend and re-encryption at backend ? Maybe something to ask for.

Thanks so much Lukas.

lukastribus · July 26, 2024, 10:54am

No, because it is a valid configuration. It was wrong for your specific use-case as it did not match your intention, but that doesn’t mean it’s always wrong.

Haproxy configuration is very flexible but this comes with a price I guess.

Topic		Replies	Views
Haproxy certificate chain not fetched when connected to second haproxy Help!	0	416	June 1, 2023
Connection reset for LDAPS Help!	2	776	June 6, 2023
HAProxy for LDAP Servers Help!	0	346	August 24, 2023
HAProxy OpenLDAP transparent Help!	3	5068	January 23, 2018
Haproxy + keepalived + ldap Help!	0	385	February 12, 2023

HAProxy L4 VIP for LDAP backend

Related topics