rautpr
1
Hi Team, I have the below configuration and getting SSL error in my python code.
frontend http-in
bind *:443
mode tcp
option tcplog
timeout connect 10s
timeout client 20m
timeout server 20m
maxconn 10000
acl sub_qaws hdr(host) -i qaws.domain.com
acl sub_pdws hdr(host) -i pdws.domain.com
use_backend be_d1 if sub_qaws
use_backend be_d2 if sub_pdws
backend be_d1
server D1M1 qaws.domain.com:443
backend be_d2
server D2M1 pdws.domain.com:443
Error Message:
Caused by SSLError(SSLEOFError(8, ‘EOF occurred in violation of protocol (_ssl.c:1131)’))
But if I removed ACL entry and just keep a single backend server then it worked perfectly fine.
Can someone please help here and let me know the exact root cause of this issue.
jerome
2
you can’t use hdr(host) based ACLs here as haproxy does not see the HTTP requests/responses because it does not terminate TLS.
Either you terminate TLS, or you use the SNI for your use_backend rules, with req.ssl_sni
use_backend be_d1 if { req.ssl_sni qaws.domain.com }
1 Like
rautpr
3
Hi Jerome,
Thanks for your input. I tried the below configuration and it’s working in round-robin fashion instead of going with the exact match.
listen abc
bind *:443
mode tcp
option tcplog
timeout connect 10s
timeout client 20m
timeout server 20m
maxconn 10000
use-server abc1 if { req.ssl_sni -i qaws.domain.com }
server abc1 qaws.domain.com:443
use-server abc2 if { req.ssl_sni -i pdws.domain.com }
server abc2 pdws.domain.com:443