How to know if haproxy/browser SSL certificate exchange didn't work


#1

Hi

I am using Root CA generated SSL certificate to setup a SSL connection for HAProxy which connects to a web server that only support http. When the browser connects there is a invalid certificate error but if the user proceeds despite the warning, the browser connects with an insecure connection. Is there a way to know if the browsers is using an insecure connection because the browser rejected to use the invalid certificate? I have read posts saying the latest browsers are more strict about certificate . How can we check if haproxy/browser SSL exchange was successful?
The haproxy setup could be the culprit too.
I will attach the log in the following reply

Thanks Jae Kim


#2

172.17.0.7 is the haproxy
172.17.0.5 is awx_web
192.168.247.1 is the browser

1 0 192.168.247.1 172.17.0.7 TCP 66 61925 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
2 0.000103 172.17.0.7 192.168.247.1 TCP 66 443 > 61925 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
3 0.000275 192.168.247.1 172.17.0.7 TCP 54 61925 > 443 [ACK] Seq=1 Ack=1 Win=65536 Len=0
4 0.000573 192.168.247.1 172.17.0.7 TLSv1.2 233 Client Hello
5 0.001429 172.17.0.7 192.168.247.1 TLSv1.2 1456 Server Hello, Certificate, Server Key Exchange, Server Hello Done
6 0.002835 192.168.247.1 172.17.0.7 TLSv1.2 180 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
7 0.003126 172.17.0.7 192.168.247.1 TLSv1.2 280 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
8 0.004168 192.168.247.1 172.17.0.7 TCP 54 61925 > 443 [FIN, ACK] Seq=306 Ack=1629 Win=65536 Len=0
9 0.004286 172.17.0.7 192.168.247.1 TCP 54 443 > 61925 [FIN, ACK] Seq=1629 Ack=307 Win=30336 Len=0
10 0.00441 192.168.247.1 172.17.0.7 TCP 54 61925 > 443 [ACK] Seq=307 Ack=1630 Win=65536 Len=0
11 0.060104 192.168.247.1 172.17.0.7 TCP 66 61926 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
12 0.060232 172.17.0.7 192.168.247.1 TCP 66 443 > 61926 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
13 0.060406 192.168.247.1 172.17.0.7 TCP 54 61926 > 443 [ACK] Seq=1 Ack=1 Win=65536 Len=0
14 0.060617 192.168.247.1 172.17.0.7 TLSv1.2 233 Client Hello
15 0.061467 172.17.0.7 192.168.247.1 TLSv1.2 1456 Server Hello, Certificate, Server Key Exchange, Server Hello Done
16 0.062847 192.168.247.1 172.17.0.7 TLSv1.2 180 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
17 0.063177 172.17.0.7 192.168.247.1 TLSv1.2 280 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
18 0.063564 192.168.247.1 172.17.0.7 TLSv1.2 490 Application Data
19 0.063647 172.17.0.7 192.168.247.1 TLSv1.2 184 Application Data
20 0.122058 192.168.247.1 172.17.0.5 TCP 66 61927 > 8052 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
21 0.12213 172.17.0.5 192.168.247.1 TCP 66 8052 > 61927 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
22 0.122269 192.168.247.1 172.17.0.5 TCP 54 61927 > 8052 [ACK] Seq=1 Ack=1 Win=65536 Len=0
23 0.123194 192.168.247.1 172.17.0.5 HTTP 457 GET / HTTP/1.1
24 0.123233 172.17.0.5 192.168.247.1 TCP 54 8052 > 61927 [ACK] Seq=1 Ack=404 Win=30336 Len=0
25 0.148988 172.17.0.5 192.168.247.1 TCP 11515 8052 > 61927 [PSH, ACK] Seq=1 Ack=404 Win=30336 Len=11461 [TCP segment of a reassembled PDU]
26 0.149238 192.168.247.1 172.17.0.5 TCP 54 61927 > 8052 [ACK] Seq=404 Ack=2921 Win=65536 Len=0
27 0.149246 192.168.247.1 172.17.0.5 TCP 54 61927 > 8052 [ACK] Seq=404 Ack=5841 Win=65536 Len=0
28 0.149249 192.168.247.1 172.17.0.5 TCP 54 61927 > 8052 [ACK] Seq=404 Ack=8761 Win=65536 Len=0
29 0.149252 192.168.247.1 172.17.0.5 TCP 54 61927 > 8052 [ACK] Seq=404 Ack=11462 Win=64512 Len=0
30 0.149341 172.17.0.5 192.168.247.1 HTTP 59 HTTP/1.1 200 OK (text/html)
31 0.259794 192.168.247.1 172.17.0.7 TCP 54 61926 > 443 [ACK] Seq=742 Ack=1759 Win=65536 Len=0
32 0.349681 172.17.0.5 192.168.247.1 TCP 59 [TCP Retransmission] 8052 > 61927 [PSH, ACK] Seq=11462 Ack=404 Win=30336 Len=5
33 0.349858 192.168.247.1 172.17.0.5 TCP 66 61927 > 8052 [ACK] Seq=404 Ack=11467 Win=64512 Len=0 SLE=11462 SRE=11467
34 0.482896 192.168.247.1 172.17.0.5 HTTP 519 GET /static/css/vendor.a3a1e719887ce9fdef64.css HTTP/1.1
35 0.483066 172.17.0.5 192.168.247.1 HTTP 281 HTTP/1.1 304 Not Modified
36 0.529669 192.168.247.1 172.17.0.5 HTTP 516 GET /static/css/app.a3a1e719887ce9fdef64.css HTTP/1.1
37 0.529877 172.17.0.5 192.168.247.1 HTTP 281 HTTP/1.1 304 Not Modified
38 0.586895 192.168.247.1 172.17.0.5 HTTP 503 GET /static/js/vendor.a3a1e719887ce9fdef64.js HTTP/1.1
39 0.587076 172.17.0.5 192.168.247.1 HTTP 282 HTTP/1.1 304 Not Modified
40 0.647909 192.168.247.1 172.17.0.5 HTTP 500 GET /static/js/app.a3a1e719887ce9fdef64.js HTTP/1.1
41 0.648091 172.17.0.5 192.168.247.1 HTTP 282 HTTP/1.1 304 Not Modified
42 0.852933 192.168.247.1 172.17.0.5 TCP 54 61927 > 8052 [ACK] Seq=2226 Ack=12377 Win=65024 Len=0
43 1.442828 192.168.247.1 172.17.0.7 TLSv1.2 490 Application Data
44 1.442975 172.17.0.7 192.168.247.1 TLSv1.2 184 Application Data
45 1.64279 192.168.247.1 172.17.0.7 TCP 54 61926 > 443 [ACK] Seq=1178 Ack=1889 Win=65280 Len=0
46 2.490073 192.168.247.1 172.17.0.5 HTTP 569 GET /static/lib/angular-tz-extensions/tz/data/northamerica HTTP/1.1
47 2.490294 172.17.0.5 192.168.247.1 HTTP 281 HTTP/1.1 304 Not Modified
48 2.585156 192.168.247.1 172.17.0.5 HTTP 413 GET /api/ HTTP/1.1
49 2.624741 172.17.0.5 192.168.247.1 TCP 54 8052 > 61927 [ACK] Seq=12604 Ack=3100 Win=36736 Len=0
50 2.633735 192.168.247.1 172.17.0.5 TCP 66 61929 > 8052 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
51 2.6338 172.17.0.5 192.168.247.1 TCP 66 8052 > 61929 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
52 2.634017 192.168.247.1 172.17.0.5 TCP 54 61929 > 8052 [ACK] Seq=1 Ack=1 Win=65536 Len=0
53 2.637955 192.168.247.1 172.17.0.5 HTTP 542 GET /static/partials/bread-crumb/bread-crumb.partial.html HTTP/1.1
54 2.638002 172.17.0.5 192.168.247.1 TCP 54 8052 > 61929 [ACK] Seq=1 Ack=489 Win=30336 Len=0
55 2.638172 172.17.0.5 192.168.247.1 HTTP 279 HTTP/1.1 304 Not Modified
56 2.693391 192.168.247.1 172.17.0.5 HTTP 570 GET /static/partials/activity-stream/streamDetailModal/streamDetailModal.partial.html HTTP/1.1
57 2.693567 172.17.0.5 192.168.247.1 HTTP 279 HTTP/1.1 304 Not Modified
58 2.747812 192.168.247.1 172.17.0.5 HTTP 503 GET /static/partials/home/home.partial.html HTTP/1.1
59 2.748013 172.17.0.5 192.168.247.1 HTTP 278 HTTP/1.1 304 Not Modified
60 2.796371 192.168.247.1 172.17.0.5 HTTP 526 GET /static/assets/logo-header.svg HTTP/1.1
61 2.796612 172.17.0.5 192.168.247.1 HTTP 280 HTTP/1.1 304 Not Modified
62 2.855314 192.168.247.1 172.17.0.5 HTTP 582 GET /static/fonts/fontawesome-webfont.woff2?v=4.6.3 HTTP/1.1
63 2.8564 172.17.0.5 192.168.247.1 HTTP 281 HTTP/1.1 304 Not Modified
64 2.898008 172.17.0.5 192.168.247.1 HTTP 551 HTTP/1.1 200 OK (application/json)
65 2.909393 192.168.247.1 172.17.0.5 HTTP 567 GET /static/assets/OpenSans-Regular.ttf HTTP/1.1
66 2.909453 172.17.0.5 192.168.247.1 TCP 54 8052 > 61927 [ACK] Seq=13101 Ack=3613 Win=37888 Len=0
67 2.909573 172.17.0.5 192.168.247.1 HTTP 281 HTTP/1.1 304 Not Modified
68 2.976914 192.168.247.1 172.17.0.5 HTTP 521 GET /static/partials/breadcrumb.html HTTP/1.1
69 2.978266 172.17.0.5 192.168.247.1 HTTP 279 HTTP/1.1 304 Not Modified
70 3.017953 192.168.247.1 172.17.0.5 HTTP 429 GET /api/ HTTP/1.1
71 3.041493 172.17.0.5 192.168.247.1 HTTP 551 HTTP/1.1 200 OK (application/json)
72 3.0559 192.168.247.1 172.17.0.5 TCP 54 61929 > 8052 [ACK] Seq=2454 Ack=1128 Win=64512 Len=0
73 3.062504 192.168.247.1 172.17.0.5 HTTP 513 GET /static/partials/login/loginBackDrop.partial.html HTTP/1.1
74 3.062696 172.17.0.5 192.168.247.1 HTTP 278 HTTP/1.1 304 Not Modified
75 3.112678 192.168.247.1 172.17.0.5 HTTP 432 GET /api/v2/ HTTP/1.1
76 3.14379 172.17.0.5 192.168.247.1 TCP 1905 8052 > 61927 [PSH, ACK] Seq=14274 Ack=5292 Win=42112 Len=1851 [TCP segment of a reassembled PDU]
77 3.143986 172.17.0.5 192.168.247.1 HTTP 59 HTTP/1.1 200 OK (application/json)
78 3.146084 192.168.247.1 172.17.0.5 TCP 54 61927 > 8052 [ACK] Seq=5292 Ack=16125 Win=65536 Len=0
79 3.157862 192.168.247.1 172.17.0.5 HTTP 547 GET /static/partials/login/loginModal/loginModal.partial.html HTTP/1.1
80 3.15805 172.17.0.5 192.168.247.1 HTTP 280 HTTP/1.1 304 Not Modified
81 3.230501 192.168.247.1 172.17.0.5 HTTP 569 GET /static/partials/login/loginModal/thirdPartySignOn/thirdPartySignOn.partial.html HTTP/1.1
82 3.230681 172.17.0.5 192.168.247.1 HTTP 279 HTTP/1.1 304 Not Modified
83 3.280647 192.168.247.1 172.17.0.5 HTTP 525 GET /static/assets/logo-login.svg HTTP/1.1
84 3.280894 172.17.0.5 192.168.247.1 HTTP 280 HTTP/1.1 304 Not Modified
85 3.332358 192.168.247.1 172.17.0.5 HTTP 421 GET /api/v2/auth/ HTTP/1.1
86 3.371728 172.17.0.5 192.168.247.1 TCP 54 8052 > 61927 [ACK] Seq=16807 Ack=7138 Win=46464 Len=0
87 3.397018 172.17.0.5 192.168.247.1 HTTP 398 HTTP/1.1 200 OK (application/json)
88 3.451839 192.168.247.1 172.17.0.5 HTTP 421 GET /api/v2/auth/ HTTP/1.1
89 3.451905 172.17.0.5 192.168.247.1 TCP 54 8052 > 61927 [ACK] Seq=17151 Ack=7505 Win=47488 Len=0
90 3.474931 172.17.0.5 192.168.247.1 HTTP 398 HTTP/1.1 200 OK (application/json)
91 3.68393 192.168.247.1 172.17.0.5 TCP 54 61927 > 8052 [ACK] Seq=7505 Ack=17495 Win=64256 Len=0
92 6.446077 172.17.0.7 192.168.247.1 TLSv1.2 85 Encrypted Alert
93 6.446255 172.17.0.7 192.168.247.1 TCP 54 443 > 61926 [FIN, ACK] Seq=1920 Ack=1178 Win=32512 Len=0
94 6.446386 192.168.247.1 172.17.0.7 TCP 54 61926 > 443 [ACK] Seq=1178 Ack=1921 Win=65280 Len=0
95 19.83706 192.168.247.1 172.17.0.7 TCP 54 61926 > 443 [FIN, ACK] Seq=1178 Ack=1921 Win=65280 Len=0
96 19.83708 192.168.247.1 172.17.0.7 TCP 54 61926 > 443 [RST, ACK] Seq=1179 Ack=1921 Win=0 Len=0
97 19.83709 192.168.247.1 172.17.0.5 TCP 54 61929 > 8052 [FIN, ACK] Seq=2454 Ack=1128 Win=64512 Len=0
98 19.8371 192.168.247.1 172.17.0.5 TCP 54 61927 > 8052 [FIN, ACK] Seq=7505 Ack=17495 Win=64256 Len=0
99 19.83713 172.17.0.7 192.168.247.1 TCP 54 443 > 61926 [ACK] Seq=1921 Ack=1179 Win=32512 Len=0
100 19.83737 172.17.0.5 192.168.247.1 TCP 54 8052 > 61929 [FIN, ACK] Seq=1128 Ack=2455 Win=34560 Len=0
101 19.8376 192.168.247.1 172.17.0.5 TCP 54 61929 > 8052 [ACK] Seq=2455 Ack=1129 Win=64512 Len=0
102 19.8378 172.17.0.5 192.168.247.1 TCP 54 8052 > 61927 [FIN, ACK] Seq=17495 Ack=7506 Win=47488 Len=0
103 19.83802 192.168.247.1 172.17.0.5 TCP 54 61927 > 8052 [ACK] Seq=7506 Ack=17496 Win=64256 Len=0
104 39.72396 192.168.247.1 172.17.0.7 TCP 66 61939 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
105 39.72403 172.17.0.7 192.168.247.1 TCP 66 443 > 61939 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
106 39.72424 192.168.247.1 172.17.0.7 TCP 54 61939 > 443 [ACK] Seq=1 Ack=1 Win=65536 Len=0
107 39.72445 192.168.247.1 172.17.0.7 TLSv1.2 233 Client Hello
108 39.7254 172.17.0.7 192.168.247.1 TLSv1.2 1456 Server Hello, Certificate, Server Key Exchange, Server Hello Done
109 39.72678 192.168.247.1 172.17.0.7 TLSv1.2 180 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
110 39.72706 172.17.0.7 192.168.247.1 TLSv1.2 280 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
111 39.72731 192.168.247.1 172.17.0.7 TCP 54 61939 > 443 [FIN, ACK] Seq=306 Ack=1629 Win=65536 Len=0
112 39.72738 172.17.0.7 192.168.247.1 TCP 54 443 > 61939 [FIN, ACK] Seq=1629 Ack=307 Win=30336 Len=0
113 39.72754 192.168.247.1 172.17.0.7 TCP 54 61939 > 443 [ACK] Seq=307 Ack=1630 Win=65536 Len=0
114 40.45985 192.168.247.1 172.17.0.7 TCP 66 61940 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
115 40.45993 172.17.0.7 192.168.247.1 TCP 66 443 > 61940 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
116 40.46022 192.168.247.1 172.17.0.7 TCP 54 61940 > 443 [ACK] Seq=1 Ack=1 Win=65536 Len=0
117 40.46025 192.168.247.1 172.17.0.7 TLSv1.2 233 Client Hello
118 40.46126 172.17.0.7 192.168.247.1 TLSv1.2 1456 Server Hello, Certificate, Server Key Exchange, Server Hello Done
119 40.46281 192.168.247.1 172.17.0.7 TLSv1.2 180 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
120 40.4632 172.17.0.7 192.168.247.1 TLSv1.2 280 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
121 40.46375 192.168.247.1 172.17.0.7 TCP 54 61940 > 443 [FIN, ACK] Seq=306 Ack=1629 Win=65536 Len=0
122 40.46388 172.17.0.7 192.168.247.1 TCP 54 443 > 61940 [FIN, ACK] Seq=1629 Ack=307 Win=30336 Len=0
123 40.46417 192.168.247.1 172.17.0.7 TCP 54 61940 > 443 [ACK] Seq=307 Ack=1630 Win=65536 Len=0
124 44.93709 192.168.247.1 172.17.0.7 TCP 66 61946 > 443 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
125 44.93717 172.17.0.7 192.168.247.1 TCP 66 443 > 61946 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
126 44.93746 192.168.247.1 172.17.0.7 TCP 54 61946 > 443 [ACK] Seq=1 Ack=1 Win=65536 Len=0
127 44.93776 192.168.247.1 172.17.0.7 TLSv1.2 233 Client Hello
128 44.93904 172.17.0.7 192.168.247.1 TLSv1.2 1456 Server Hello, Certificate, Server Key Exchange, Server Hello Done
129 44.94056 192.168.247.1 172.17.0.7 TLSv1.2 180 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
130 44.94118 172.17.0.7 192.168.247.1 TLSv1.2 280 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
131 44.94208 192.168.247.1 172.17.0.7 TLSv1.2 490 Application Data
132 44.94226 172.17.0.7 192.168.247.1 TLSv1.2 184 Application Data
133 44.99414 192.168.247.1 172.17.0.5 TCP 66 61947 > 8052 [SYN] Seq=0 Win=8192 Len=0 MSS=1460 WS=256 SACK_PERM=1
134 44.99423 172.17.0.5 192.168.247.1 TCP 66 8052 > 61947 [SYN, ACK] Seq=0 Ack=1 Win=29200 Len=0 MSS=1460 SACK_PERM=1 WS=128
135 44.99446 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=1 Ack=1 Win=65536 Len=0
136 44.99531 192.168.247.1 172.17.0.5 HTTP 457 GET / HTTP/1.1
137 44.99536 172.17.0.5 192.168.247.1 TCP 54 8052 > 61947 [ACK] Seq=1 Ack=404 Win=30336 Len=0
138 45.01917 172.17.0.5 192.168.247.1 TCP 8410 8052 > 61947 [PSH, ACK] Seq=1 Ack=404 Win=30336 Len=8356 [TCP segment of a reassembled PDU]
139 45.01942 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=404 Ack=2921 Win=65536 Len=0
140 45.01943 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=404 Ack=5841 Win=65536 Len=0
141 45.01942 172.17.0.5 192.168.247.1 TCP 2974 8052 > 61947 [ACK] Seq=8357 Ack=404 Win=30336 Len=2920 [TCP segment of a reassembled PDU]
142 45.01943 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=404 Ack=8357 Win=65536 Len=0
143 45.01954 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=404 Ack=11277 Win=65536 Len=0
144 45.01954 172.17.0.5 192.168.247.1 HTTP 251 HTTP/1.1 200 OK (text/html)
145 45.13653 192.168.247.1 172.17.0.7 TCP 54 61946 > 443 [ACK] Seq=742 Ack=1759 Win=65536 Len=0
146 45.22151 172.17.0.5 192.168.247.1 TCP 251 [TCP Retransmission] 8052 > 61947 [PSH, ACK] Seq=11277 Ack=404 Win=30336 Len=197
147 45.22171 192.168.247.1 172.17.0.5 TCP 66 61947 > 8052 [ACK] Seq=404 Ack=11474 Win=65280 Len=0 SLE=11277 SRE=11474
148 45.57483 192.168.247.1 172.17.0.5 HTTP 436 GET /static/css/vendor.a3a1e719887ce9fdef64.css HTTP/1.1
149 45.5751 172.17.0.5 192.168.247.1 TCP 341 8052 > 61947 [PSH, ACK] Seq=11474 Ack=786 Win=31360 Len=287 [TCP segment of a reassembled PDU]
150 45.57528 172.17.0.5 192.168.247.1 TCP 13194 8052 > 61947 [ACK] Seq=11761 Ack=786 Win=31360 Len=13140 [TCP segment of a reassembled PDU]
151 45.57574 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=13221 Win=65536 Len=0
152 45.57576 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=16141 Win=65536 Len=0
153 45.57576 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=19061 Win=65536 Len=0
154 45.57577 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=21981 Win=65536 Len=0
155 45.57578 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=24901 Win=62720 Len=0
156 45.57586 172.17.0.5 192.168.247.1 TCP 4434 8052 > 61947 [ACK] Seq=24901 Ack=786 Win=31360 Len=4380 [TCP segment of a reassembled PDU]
157 45.57587 172.17.0.5 192.168.247.1 TCP 5894 8052 > 61947 [ACK] Seq=29281 Ack=786 Win=31360 Len=5840 [TCP segment of a reassembled PDU]
158 45.57629 192.168.247.1 172.17.0.5 TCP 54 [TCP Window Update] 61947 > 8052 [ACK] Seq=786 Ack=24901 Win=65536 Len=0
159 45.5763 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=27821 Win=65536 Len=0
160 45.57632 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=30741 Win=65536 Len=0
161 45.57633 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=33661 Win=65536 Len=0
162 45.57635 172.17.0.5 192.168.247.1 TCP 5894 8052 > 61947 [ACK] Seq=35121 Ack=786 Win=31360 Len=5840 [TCP segment of a reassembled PDU]
163 45.57636 172.17.0.5 192.168.247.1 TCP 5894 8052 > 61947 [ACK] Seq=40961 Ack=786 Win=31360 Len=5840 [TCP segment of a reassembled PDU]
164 45.57675 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=36581 Win=65536 Len=0
165 45.57676 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=39501 Win=65536 Len=0
166 45.57983 172.17.0.5 192.168.247.1 TCP 14654 [TCP Previous segment not captured] 8052 > 61947 [ACK] Seq=121261 Ack=786 Win=31360 Len=14600 [TCP segment of a reassembled PDU]
167 45.58026 192.168.247.1 172.17.0.5 TCP 54 [TCP ACKed unseen segment] 61947 > 8052 [ACK] Seq=786 Ack=124181 Win=65536 Len=0
168 45.58029 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=127101 Win=65536 Len=0
169 45.58029 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=130021 Win=65536 Len=0
170 45.5803 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=132941 Win=65536 Len=0
171 45.5803 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=135861 Win=65536 Len=0
172 45.58054 172.17.0.5 192.168.247.1 TCP 5894 8052 > 61947 [ACK] Seq=135861 Ack=786 Win=31360 Len=5840 [TCP segment of a reassembled PDU]
173 45.58055 172.17.0.5 192.168.247.1 TCP 5894 8052 > 61947 [ACK] Seq=141701 Ack=786 Win=31360 Len=5840 [TCP segment of a reassembled PDU]
174 45.58089 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=138781 Win=65536 Len=0
175 45.5809 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=141701 Win=65536 Len=0
176 45.58091 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=144621 Win=65536 Len=0
177 45.58091 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=147541 Win=65536 Len=0
178 45.58093 172.17.0.5 192.168.247.1 TCP 5894 8052 > 61947 [ACK] Seq=147541 Ack=786 Win=31360 Len=5840 [TCP segment of a reassembled PDU]
179 45.58094 172.17.0.5 192.168.247.1 TCP 5894 8052 > 61947 [ACK] Seq=153381 Ack=786 Win=31360 Len=5840 [TCP segment of a reassembled PDU]
180 45.58126 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=150461 Win=65536 Len=0
181 45.58127 192.168.247.1 172.17.0.5 TCP 54 61947 > 8052 [ACK] Seq=786 Ack=153381 Win=65536 Len=0
182 45.63154 192.168.247.1 172.17.0.5 HTTP 433 [TCP ACKed unseen segment] GET /static/css/app.a3a1e719887ce9fdef64.css HTTP/1.1
183 45.63174 172.17.0.5 192.168.247.1 TCP 341 [TCP Previous segment not captured] 8052 > 61947 [PSH, ACK] Seq=210449 Ack=1165 Win=32512 Len=287 [TCP segment of a reassembled PDU]
184 45.63189 172.17.0.5 192.168.247.1 TCP 13194 8052


#3

Haproxy.log file

Connect from 192.168.247.1:49379 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49380 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49397 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49398 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49399 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49401 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49402 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49403 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49404 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49405 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49406 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49407 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49408 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49410 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49411 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49412 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49413 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49414 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49415 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49416 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49417 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49418 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49419 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49420 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49421 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49422 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49423 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49424 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49425 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49428 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49429 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49430 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49431 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49432 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49433 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49434 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49435 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49436 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49437 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49438 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49439 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49440 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49441 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49442 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49443 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49444 to 172.17.0.7:443 (www-https/HTTP)
Connect from 192.168.247.1:49445 to 172.17.0.7:443 (www-https/HTTP)


#4

haproxy.cfg

global
maxconn 2048
tune.ssl.default-dh-param 2048
defaults
mode http
log 127.0.0.1 local0
option forwardfor
option httpclose
timeout connect 5000ms
timeout client 5000ms
timeout server 5000ms

frontend www-https
bind *:443 ssl crt /root/key/mykey.pem no-sslv3 ca-ignore-err all
default_backend backend_app1_ssl

backend backend_app1_ssl
mode http
server www-1 172.17.0.5:8052


#5

I tested again, using the latest config made it work.
Thanks for your attention.


#6

You can remove ca-ignore-err all, this is only needed for client certification verification.