Good day! I have some problems with backend and receive 503 response from web. We used http mode by default. All incoming requests checked and forwarded to 443 ssl. But one of them (backend) not worked on http mode. It requires only tcp mode for background. Can i use frontend http and forward it ti backend with tcp mode?
HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau willy@haproxy.org
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
OPTIONS = USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
global
#log 127.0.0.1 local2
log /dev/log local0 info
log /dev/log local0 notice
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
tune.ssl.default-dh-param 2048
defaults
mode http
log global
log-format {“haproxy_clientIP”:"%ci",“haproxy_clientPort”:"%cp",“haproxy_dateTime”:"%t",“haproxy_frontendNameTransport”:"%ft",“haproxy_backend”:"%b",“haproxy_serverName”:"%s",“haproxy_Tw”:"%Tw",“haproxy_Tc”:"%Tc",“haproxy_Tt”:"%Tt",“haproxy_bytesRead”:"%B",“haproxy_terminationState”:"%ts",“haproxy_actconn”:%ac,“haproxy_FrontendCurrentConn”:%fc,“haproxy_backendCurrentConn”:%bc,“haproxy_serverConcurrentConn”:%sc,“haproxy_retries”:%rc,“haproxy_srvQueue”:%sq,“haproxy_backendQueue”:%bq,“haproxy_backendSourceIP”:"%bi",“haproxy_backendSourcePort”:"%bp",“haproxy_statusCode”:"%ST",“haproxy_serverIP”:"%si",“haproxy_serverPort”:"%sp",“haproxy_frontendIP”:"%fi",“haproxy_frontendPort”:"%fp",“haproxy_capturedRequestHeaders”:"%hr",“haproxy_httpRequest”:"%r"}
option httplog
option dontlognull
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
listen stats
bind vip:8404
mode http
stats enable
stats hide-version
stats uri /stats
option httpclose
stats auth haproxy:Qazwsx!@
frontend https
bind vip:80
bind vip:443 ssl crt /etc/haproxy/ssl/cbar.cer ca-file /etc/haproxy/ssl/cbar-ca.cer crt /etc/haproxy/ssl/ecbar.cer ca-file /etc/haproxy/ssl/ecbar-ca.cer crt /etc/haproxy/ssl/bizimpullar.az.cer ca-file /etc/haproxy/ssl/bizimpullar.az-ca.cer
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-Not-After %{+Q}[ssl_c_notafter]
http-request redirect scheme https code 301 if !{ ssl_fc }
acl url_accr hdr_dom(host) -i accr.cbar.az
acl url_accr hdr_dom(host) -i www.accr.cbar.az
use_backend backend_accr if url_accr
backend backend_accr
balance roundrobin
mode http
option tcp-check
#redirect location [https://accr.cbar.az](https://accr.cbar.az/) ##!/login
cookie SERVERID insert indirect nocache
backend backend_accr
balance roundrobin
mode http
option tcp-check
cookie SERVERID insert indirect nocache
server accr-act mybackip:443 check port 443 fall 3 rise 2 ssl ca-file /etc/haproxy/ssl/cbar-ca.cerMaybe the backend server needs SNI?
Does it work without health checks?
no it doesnt
Either your backend requires SNI, uses a certificate that cannot be authenticated with the ca file /etc/haproxy/ssl/cbar-ca.cer or there is some other SSL related problem.
Try verify none on the server line. If that also doesn’t work, try capturing the SSL traffic between haproxy and the backend, also make a curl -vvl https://.. request against that backend server from the haproxy instance.