Haproxy w/ssl 'SSL handshake failure'

strig · February 9, 2023, 2:24am

I’ve had haproxy working with a non-ssl/tls frontend for some time. Just recently I was tasked to have haproxy listen for https connections specifically. I’m troubled with the error haproxy-ssl/1: SSL handshake failure regardless of the changes I make to my configuration. I’m hoping someone here can help!

What I am trying to accomplish is:

client -> haproxy (http/https) -> tinyproxy (http) -> internet

haproxy -vv
HAProxy version 2.4.18-0ubuntu1.1 2023/01/19 - https://haproxy.org/
Running on: Linux 5.15.0-56-generic #62-Ubuntu SMP Tue Nov 22 19:54:14 UTC 2022 x86_64
...

global
	log /dev/log	local0
	log /dev/log	local1 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
	stats timeout 30s
	user haproxy
	group haproxy
	daemon

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    	ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    	ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    	ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    	ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    	ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    	ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    	# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
    	ssl-dh-param-file /etc/haproxy/dhparam

defaults
	log	global
	mode	http
	option	httplog
	option	dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

frontend haproxy
    bind *:8008
    default_backend tinyproxy

#
# cat /etc/letsencrypt/live/sfre.io/fullchain.pem  /etc/letsencrypt/live/sfre.io/privkey.pem  /etc/haproxy/lets-encrypt-r3.pem > /etc/ssl/private/site.pem
#
frontend haproxy-ssl
    bind *:8181 ssl crt site.pem alpn h2,http/1.1
    http-request set-header X-Forwarded-For %[src]
    http-request add-header X-Forwarded-Proto https
    option http-server-close
    default_backend tinyproxy

backend tinyproxy
    mode http
    server haha90 192.168.1.90:8888 verify none

curl -vv --proxy haha90:8181 https://vox.com
*   Trying 192.168.1.90:8181...
* Connected to haha90 (192.168.1.90) port 8181 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to vox.com:443
> CONNECT vox.com:443 HTTP/1.1
> Host: vox.com:443
> User-Agent: curl/7.77.0
> Proxy-Connection: Keep-Alive
>
* Proxy CONNECT aborted
* CONNECT phase completed!
* Closing connection 0
curl: (56) Proxy CONNECT aborted
hello:/tmp>curl -vv --proxy haha90:8181 https://vox.com
*   Trying 192.168.1.90:8181...
* Connected to haha90 (192.168.1.90) port 8181 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to vox.com:443
> CONNECT vox.com:443 HTTP/1.1
> Host: vox.com:443
> User-Agent: curl/7.77.0
> Proxy-Connection: Keep-Alive
>
* Proxy CONNECT aborted
* CONNECT phase completed!
* Closing connection 0
curl: (56) Proxy CONNECT aborted

tail -f /var/log/haproxy.log:

Feb  8 18:23:02 haha90 haproxy[436294]: 192.168.1.15:54459 [08/Feb/2023:18:23:02.203] haproxy-ssl/1: SSL handshake failure

stormrover · February 9, 2023, 12:30pm

I’m not sure it’s possible to use HAProxy as a forward proxy. I see generate-certificates in the configuration manual that might be useful in this case.

Edit: Not sure if you can use HAProxy with SSL as a forward proxy.

strig · February 10, 2023, 5:19pm

While I’m not finding much about my issue with search, and the mentions of using haproxy this way are few, I continue to move ahead thinking this might be possible. If it isn’t I’d like to gain an understanding of why it isn’t.

I believe it’s possible because I can configure mode http with bind ... crt --and additionally there are many mentions of using haproxy w/tls in various configurations.

Not getting much help here and unsure why. Is there something additional I should be providing?

stormrover · February 10, 2023, 5:40pm

Looking at your workflow and your server line, looks like you intend to use SSL but didn’t explicitly say it, and I don’t think verify none assumes the ssl part. Try adding ssl to your backend.

backend tinyproxy
    mode http
    server haha90 192.168.1.90:8888 ssl verify none

Topic		Replies	Views
CRITICAL - HAProxy SSL Handshake failure issue Help!	2	1743	May 3, 2023
Haproxy 1.8.8 SSL handshake failure Help!	0	1898	July 18, 2018
Trying to install SSL Cert for use with HAPROXY. No luck Help!	10	9924	January 7, 2019
SSL handshake failure Help!	3	1696	June 22, 2017
Tons of "ssl_termination/1: SSL handshake failure" Help!	6	1188	September 20, 2019

Haproxy w/ssl 'SSL handshake failure'

Related Topics