Https configuration for haproxy

eozbekar · January 14, 2022, 11:15am

Hello friends,

I’ve some web applications running on tomcat. There are two identical application servers for each applications and I want a loadbalancer to distribute the network traffic between those two servers.

Therefore I have configured haproxy to act as a loadbalancer and redirect http (80) port to real ports defined in application servers. It worked pretty well so far.

Now I’ve installed ssl certificates to tomcat servers and decided to make people access through https instead of http.

I could not find out how to configure haproxy to listen port 443 (https), distribute the network traffic as a loadbalancer and redirect ports.

Below is my configuration designed for http.
I’ve tried to simple change port numbers, change mode from http to https or tcp… none of them worked or I’ve done something wrong or missed something…
Can you please tell me how I must modify this config?

Please note that I’ve already applied ssl certificates in tomcat so I do not need haproxy to apply ssl certificates.

Probably this is something very simple for most of you but this is the first time I use haproxy without any training.

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000

listen arserver
bind :33000
mode tcp
use_backend srvs_arserver

frontend http
bind *:80
mode http
#default_backend def

acl support base_reg ^.*support
acl smartit base_reg ^.*smartit

use_backend srvs_support if support
use_backend srvs_smartit if smartit

backend srvs_support
balance source #roundrobin
hash-type consistent # optional
server BMCHELIXDWP1 10.19.0.110:80 check
server BMCHELIXDWP2 10.19.0.131:80 check

backend srvs_smartit
balance source #roundrobin
hash-type consistent # optional
server BMCHELIXDWP1 10.19.0.110:8080 check
server BMCHELIXDWP2 10.19.0.131:8080 check

backend srvs_arserver
mode tcp
balance source #roundrobin
hash-type consistent # optional
server BMCHELIXARS1 10.19.0.109:33000 check
server BMCHELIXARS2 10.19.0.111:33000 check

eozbekar · January 18, 2022, 5:56am

anybody?

lukastribus · January 18, 2022, 10:42am

You need to configure the section in tcp mode, just as you do with arserver/srvs_arserver. Instead of 33000 you use 443. I suggest you use a frontend section instead of a listen section for both 33000 and 443 traffic; the listen section has a different use-case.

eozbekar · January 21, 2022, 12:24pm

Thanks for your response. I don’t know the difference between listen section and frontend section.
I’m trying to create a working configuration with the help of examples I’ve found on the internet.
Anyway, I’ll work on that listen section later but it did not work after I update the config file as below. Service is running but I can’t access the webpage via haproxy.

global
log /var/lib/haproxy/dev/loglar local0
log /var/lib/haproxy/dev/loglar local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000

listen arserver
bind :33000
mode tcp
use_backend srvs_arserver

frontend http
bind :443
mode tcp

acl support base_reg ^.*support
acl smartit base_reg ^.*smartit

use_backend srvs_support if support
use_backend srvs_smartit if smartit

backend srvs_support
balance source #roundrobin
hash-type consistent
server BMCHELIXARS1 10.19.0.109:8443 check
server BMCHELIXARS2 10.19.0.111:8443 check

backend srvs_smartit
balance source #roundrobin
hash-type consistent # optional
server BMCHELIXDWP1 10.19.0.110:8443 check
server BMCHELIXDWP2 10.19.0.131:8443 check

backend srvs_arserver
mode tcp
balance source #roundrobin
hash-type consistent # optional
server BMCHELIXARS1 10.19.0.109:33000 check
server BMCHELIXARS2 10.19.0.111:33000 check

lukastribus · January 21, 2022, 4:18pm

Ok, so the reason this will never work is that you are trying to access plaintext data support vs smartit to make a routing decision.

However, this can only work if the traffic is indeed plaintext (HTTP). If the traffic is encrypted end-to-end between the client and the backend server, than you cannot access the plaintext data, that is the point of encryption.

Either install the SSL certificate on haproxy instead of the Tomcat servers, or your use different certificates and hostname, so you can load-balance based on SNI (the hostname present in the firt packet of the SSL handshake).

eozbekar · January 24, 2022, 9:22am

Thanks for the clarification.
How can I install SSL certificate on haproxy? I have the certificate in .p12 format, will that be enough?

Topic		Replies	Views
Need help with a HTTP and HTTPS Proxy Config for multiple backend servers Help!	1	608	January 19, 2021
How To Scale SSL with HAProxy and Nginx Configuration Samples	6	5396	October 31, 2016
Http to https site with balancing Help!	24	3594	November 10, 2018
Use https servers in backend section Help!	1	390	May 29, 2020
Certificate/SSL termination problem Help!	3	1718	June 3, 2016

Https configuration for haproxy

Related Topics