HAProxy community

Is there an equivalent for Nginx grpc_ssl_certificate directive?

Hi, I am trying to setup HAProxy to replace Nginx as a reverse proxy for a GRPC service. This service is secured by using mutual tls, and the Nginx configuration contains both a certificate and a key so that connections to the backend always are secured by those 2 files. The certificate and key are generated by a custom CA.

Is there any way of telling HAProxy to use that certificate/key to communicate with the backend? Should something like the following line work in the server directive inside a backend block?

Blockquote
backend blah

server server1 fqdn:port check ssl verify none crt /certkey.pem ca-file /custom-ca.pem alpn h2

Thanks.

Use “crt clientCert.pem” on the backend. Concat client certificate and its private key into one file (clientCert.pem in this case) both in pem format. The key has to be in unencrypted format.

Thanks for your reply.

I am in the process of testing, unfortunately if I enable the check directive, I get the following error info: “SSL handshake failure”, I am not sure if the communication with the backend works or if just the checks are failing (I am waiting for some tests to be performed).

I get the same when we try to communicate with the backend:

10.119.17.138:52965 [16/Sep/2020:10:01:39.640] fqdn/1: SSL handshake failure

So it seems like it is not working.

This is the output of the health check in the log:

reason: Layer6 invalid response, info: “SSL handshake failure”, check duration: 1ms, status: 0/2 DOWN.

It gets marked as down after a couple of checks with the same response.