I’m trying to set up an HTTPS/SSL frontend but HAProxy won’t start whenever I add in the ‘bind *:443 ssl crt /opt/certs/self.pem’ line. I’m not sure if there is something wrong with my config or if HAProxy doesn’t like the certificate. In saying that, I can’t see any certificate related errors in the log.
Version
HA-Proxy version 1.8.4-1deb90d 2018/02/08
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>
Config
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
frontend http_front
mode http
bind *:80
default_backend http_back
backend http_back
balance roundrobin
option httpchk GET /index.html
http-check expect string WEB
server web1 web1.domain.com:80 check
server web2 web2.domain.com:80 check
listen stats
bind :1234
mode http
stats enable
stats hide-version
stats uri /
frontend ssl_front
bind *:443 ssl crt /opt/certs/self.pem
default_backend ssl_back
backend ssl_back
balance roundrobin
server web1 web1.domain.com:443 check
server web2 web2.domain.com:443 check
Certificate
I used known working certs and then tested with creating my own self signed one, but always getting the same result. Below is how I created the PEM file.
Mar 31 20:01:23 centos4 haproxy: [ALERT] 089/200123 (39723) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
Mar 31 20:01:23 centos4 haproxy: [ALERT] 089/200123 (39723) : Fatal errors found in configuration.
Mar 31 20:01:23 centos4 haproxy: Errors found in configuration file, check it with 'haproxy check'.
Mar 31 20:01:23 centos4 systemd: haproxy.service: control process exited, code=exited status=1
haproxy -dV -f haproxy.cfg
[ALERT] 089/200256 (39900) : Error(s) found in configuration file : haproxy.cfg
[ALERT] 089/200256 (39900) : Fatal errors found in configuration.
Sure, see below… I must have missed this before but I do see the ‘unknown keyword ‘ssl’ error’.
haproxy -vv
HA-Proxy version 1.8.4-1deb90d 2018/02/08
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label
OPTIONS =
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built without PCRE or PCRE2 support (using libc's regex instead)
Built without compression support (neither USE_ZLIB nor USE_SLZ are set).
Compression algorithms supported : identity("identity")
Built with network namespace support.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
Ok, haproxy has been compiled without any additional libraries, like OpenSSL, PCRE or zlib. That’s why none of those features are available.
For OpenSSL (SSL) add USE_OPENSSL=1 to your make command. PCRE (USE_PCRE=1) and zlib for compression (USE_ZLIB=1) are other libraries that you may want to use.
Unless you see some OpenSSL informations in haproxy -vv, haproxy has not been compiled with SSL support and therefor isn’t able to use it.
lukas@dev:~/haproxy$ ./haproxy -vv | grep OpenSSL
Built with OpenSSL version : OpenSSL 1.1.0h 27 Mar 2018
Running on OpenSSL version : OpenSSL 1.1.0h 27 Mar 2018
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
lukas@dev:~/haproxy$