Haproxy SSL to backend

isa · May 18, 2018, 9:00am

Hi

I have enabled SSL between Haproxy 1.5.18 and my JBoss Nodes. My config for this looks

backend jboss
balance roundrobin
mode http
server node1.com 10.0.0.1:8443 check ssl verify required ca-file /etc/pki/ca-trust/source/anchors/ca_chain.crt verifyhost www.app.com
server node2.com 10.0.0.2:8443 check ssl verify required ca-file /etc/pki/ca-trust/source/anchors/ca_chain.crt verifyhost www.app.com

note I have verifyhost www.app.com because both nodes use the same cert with the CN www.app.com. This helps with using one cert for many nodes.

The problem I am having is , in the jboss logs I see alot (every sec) of debug Warnings

Connection reset by peer

any idea whats the issue here

lukastribus · May 18, 2018, 10:31am

Can you confirm it actually works? You are only looking to fix the debug warnings, right?

This is most likely caused by the TCP level haproxy health checks. Try enabling HTTP health checks (but make sure they actually succeed) with option httpchk.

isa · May 18, 2018, 11:21am

Yes the SSL connection does work

isa · May 18, 2018, 11:32am

So what you saying is change my config to the below?

backend jboss
balance roundrobin
mode http
option httpchk
server node1.com 10.0.0.1:8443  ssl verify required ca-file /etc/pki/ca-trust/source/anchors/ca_chain.crt verifyhost www.app.com
server node2.com 10.0.0.2:8443  ssl verify required ca-file /etc/pki/ca-trust/source/anchors/ca_chain.crt verifyhost www.app.com

lukastribus · May 18, 2018, 11:48am

Just add option httpchk. You need to leave the check keyword for each server, otherwise you disabled health checking.

isa · May 18, 2018, 11:58am

yeah that’s what I thought but when I leave the check key word it still gives the SSL message.

removing the check key word does disable the health checking.

lukastribus · May 18, 2018, 5:30pm

So with option httpchk in the configuration and check keyword on the server line, you still see this message?

And when the check keyword is removed and therfor, heatlh checking does not work, can you confirm the error message is gone?

isa · May 21, 2018, 6:36am

So with option httpchk in the configuration and check keyword on the server line, you still see this message?
Yes

And when the check keyword is removed and therfor, heatlh checking does not work, can you confirm the error message is gone?
Yes Error Message gone

Topic		Replies	Views
Http to https site with balancing Help!	24	3586	November 10, 2018
Use https servers in backend section Help!	1	388	May 29, 2020
SSL Handshake issue Help!	9	6929	May 23, 2018
Backend SSL usage, how? Help!	2	311	February 15, 2022
Is 'ssl verify none' work for self-signed certificate in tcp mode helthcheck? Help!	18	47279	December 16, 2020

Haproxy SSL to backend

Related Topics