HAProxy community

Http to https site with balancing


#1

Hy sir, could someone help me please…
i want configure my server to hit https site using haproxy…
i already try so hard to raise my foal… but still fail…

my server use http ==> haproxy ==> https://blabla.com

frontend localhost
bind *:80
bind *:443
option tcplog
mode tcp
default_backend nodes

backend nodes
mode tcp
balance roundrobin
option ssl-hello-chk
server web01 xxx.xxx.xxx.xxx:443 check

this is my config… anyone please help me… thanks


#2

Try adding ssl to your server definition.


#3

Nov 09 02:59:02 HAPROXY haproxy[3051]: [ALERT] 312/025902 (3054) : Proxy ‘nodes’, server ‘web01’ [/etc/haproxy/haproxy.cfg:60] verify is enabled by default but no CA file specified. If you’re running on a LAN where you’re certain to trust the server’s certificate, please set an explicit ‘verify none’ statement on the ‘server’ line, or use ‘ssl-server-verify none’ in the global section to disable server-side verifications by default.

i got this error sir… when i add ssl check


#4

Well what you need to do is right there explained in the error message. Either configure a certificate-authority to verify the server certificate against or disable certificate verification with verify none.

Also, the frontend configuration is wrong, you cannot just configure bind :443 without any ssl settings or certificates. I assume you just want port 80 there, so I suggest you remove bind :443.


#5

frontend localhost
bind *:80
option tcplog
mode tcp
default_backend nodes

backend nodes
mode tcp
balance roundrobin
option ssl-hello-chk
server web01 emos.enseval.com:443 ssl verify none

like this sir? but still not working… when i curl haproxy it showing 404 not found.

[root@HAPROXY ~]# haproxy -vv
HA-Proxy version 1.7.9 2017/08/18
Copyright 2000-2017 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv
OPTIONS = USE_LIBCRYPT=1 USE_CRYPT_H=1 USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built without Lua support
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
[COMP] compression
[TRACE] trace
[SPOE] spoe


#6

“404 Not found” comes from your backend server. This means haproxy works and forwards traffic to and from your backend server.

Why your backend server respond with a 404 Not found response is something you’d have to find out: is the URL simply wrong? Does the backend server expect a specific Host header or SNI?


#7

no its not sir… when i curl https site its normal… but when i try curl with haproxy ip its say 404 not found…

i want use haproxy to hit https site from local server to internet https… that my goal… pls help


#8

That’s exactly it. When you curl to the https site both Host header and SNI value are exactly what the backend server expects. When you curl to haproxy, both Host header and SNI value are certainly wrong, which is why your backend server does not recognize it, causing a 404 Not Found error in response.

Haproxy does not emit 404 Not Found errors at all.

Set SNI and Host header in your backend configuration:

http-request set-header Host emos.enseval.com
server web01 emos.enseval.com:443 ssl verify none sni str(emos.enseval.com)

#9

hy Sir can i use round robin if backend server has 2 website with https?

how to define if backend more than 1 site

http-request set-header Host emos.enseval.com
http-request set-header Host xxx.xxx.xxx.com
server web01 emos.enseval.com:443 ssl verify none sni str(emos.enseval.com)
server web02 xx.xxx.xxxx:443 ssl verify none sni str(xxx.xxx.xxx.com)

like this sir?


#10

Haproxy is a reverse proxy, not a forward proxy. Using different Host headers in one backend doesn’t make a lot of sense.

What is it that you actually want to achieve here?


#11

image

i want access https site, https 1 and https 2 , when i access https site haproxy can balance traffic… thats what i want achieve sir… can i do that with haproxy?


#12

Then the Host header and SNI value is example.com for both.


#13

no sir… my server will hit haproxy that http port… then haproxy will forward to https://www1 and https://www2

can i do that sir? sorry for my english


#14

I understand that, you keep Host header and SNI value the same and point to the individual servers:

http-request set-header Host www.example.org
server web01 www1.example.org:443 ssl verify none sni str(www.example.org)
server web01 www2.example.org:443 ssl verify none sni str(www.example.org)
server web01 www3.example.org:443 ssl verify none sni str(www.example.org)
server web01 www4.example.org:443 ssl verify none sni str(www.example.org)

#15

i follow your step sir… but still not working… only success if haproxy forward to web01 but if haproxy go to web02 its say 404 not found

frontend localhost
bind *:80
option tcplog
mode http
default_backend nodes
stats enable
stats hide-version
stats uri /stats
stats realm Haproxy\ Statistics
stats auth bunga:kamimasihmuda # Credentials for HAProxy Statistic report page.

backend nodes
mode http
balance roundrobin
option forwardfor
option ssl-hello-chk
http-request set-header Host emos.enseval.com
server web01 emos.enseval.com:443 ssl verify none sni str(emos.enseval.com)
server web02 api.enseval.com:443 ssl verify none sni str(api.enseval.com)

here my log sir :


#16

Those are not serving the same content. emos.enseval.com is a website and api.enseval.com is not - the latter probably being some kind of API endpoint.

You cannot load-balance between the two.

I assume you want to switch requests belonging to the website to one server, and request belonging to the API to the other server. That’s not what round-robin load-balancing does though.

If that is the case, you need to distinguish between the two kinds of application at haproxy layer. You can do that with Host headers, for example, and then route to different backends based on that.

Is that something you want to achieve here?


#17

Emos and api is the same thing… they are handle same request… thats why i want use roundrobin… if i just hit emos, emos load will high… i want make it round robin so emos will not high again… thats why emos and api work togther to balance traffic and performance…

Emos and api is same sir… my server sent the same request to both… emos is primary and api is secondary… but if all traffic go to emos, emos load will high… thats why i want use roundrobin to balance performance emos and api…

Thats my point to achieve sir… many thanks sir… from here with love


#18

No it’s not, that’s why you are seeing this behavior.

Open in your browser this site:
https://emos.enseval.com

Now open in your browser this site:
https://api.enseval.com/

You will see that one is a website, the other doesn’t show anything (returns 404 Not found):

$ curl -v https://api.enseval.com/
[...]
< HTTP/1.1 404 Not Found
< Server: Kestrel
< X-Powered-By: ASP.NET
< Date: Fri, 09 Nov 2018 16:20:52 GMT
< Content-Length: 0
<
* Connection #0 to host api.enseval.com left intact

#19

If i curl with post its will say success sir… i send the same data both emos and api…

Api page just show 404 but if i send with the same data curl will get success… only homepage 404 sir… not behind api…


#20

The api server probably wants api.enseval.com as Hostname.

Try removing http-request set-header Host emos.enseval.com and adding http-send-name-header Host, this will add the servername as a Host header individually.

Still, this setup is very confusing. I assume you are not in control of the backend servers and are trying to solve a local client problem? Otherwise I’d recommend revamping this entire setup.