L6RSP health-check error on the SSL-backend

Hello all.
I’m using HA-Proxy version 1.7.6 and trying to setup some sites with SSL on the IIS web-server behind the HAProxy. My config is below

frontend https-frontend
  bind 192.168.30.133:443 ssl strict-sni crt /etc/haproxy/ssl/
  mode http
  ... (set/modify some headers in request and response)
  use_backend app1 if { hdr_end(host) -i app1.example.com }

backend app1
  mode http
  balance roundrobin

  option httpchk HEAD / HTTP/1.1\r\nHost:app1.example.com
  http-check expect rstatus (2|3)[0-9][0-9]
  default-server inter 5s fall 2 rise 2

  option httpclose
  http-reuse safe
  option forwardfor except 127.0.0.0/8
  http-request set-header X-Client-IP %[src]
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }

  cookie SERVERID insert indirect nocache
  server srv1 1.2.3.4:443 ca-file /etc/haproxy/ssl/app1.example.com.issuer ssl verify required verifyhost app1.example.com check check-ssl

I’ve tried many combinations with the same result. With health-check is enabled clients get 503 error (as expected since helath-check failed and no more backend servers are available). But even if I remove “ssl” and “httpchk” directives (then health-check seems to be passed “L4OK”), but backend doesn’t work - the browser shows errors something like “Secure connection failed” or “Empty response”.
Direct connection from the client’s workstation to the backend-server is working normally.

I assume the certificate verification of your backend fails. Check the CA configuration (especially app1.example.com.issuer) and try with “verify none” to confirm that it is indeed the root cause.

Thank you! Already tried - the same error. Also this config but without SSL on the backend works fine. Do you know investigation methods in this case? Anything special I should watch for?

Likely there is a problem with the SSL handshake.

Maybe your backend server requires haproxy to send a SNI value?

Add “sni ssl_fc_sni” to your server line, or “sni str(app1.example.com)”.

Likely there is a problem with the SSL handshake.

Yes, the full string is “Layer6 invalid response: Connection error during SSL handshake (Connection reset by peer)”

Maybe your backend server requires haproxy to send a SNI value?

Sure. I wrote “…some sites on the one web-server…”. I’m sorry for my English if I’m not being clear.

With “sni str(…)” I got “SOCKERR - Socket error: Connection reset by peer”

Either you are still not sending SNI value that your backend requires, or there is some other SSL problem. Check your backend server log for details.

You may also capture the SSL handshake or run it through ssldump, to gain more information about it.

You are right about SNI. If we use NGINX instead of IIS or disable SNI on the IIS it fix the L6 connection error.

Thank you so much!!

So, it seems haproxy doesn’t support SNI with backend connections? 0_o

This should work:

ssl verify required sni str(app1.example.com) verifyhost app1.example.com

Nope
The only way is to disable SNI on the IIS side.

Hey Guys,

I encountered the same, the health check started to fail for an SSL enabled IIS backend, no changes made to the IIS config or HAProxy config recently. I tried disabling the health check and learned that it was only the health check failing, not even the basic TCP check would work. Probably an IIS quirk as when I disable health checking, traffic is sent to the same backend without any problems. Will try to upgrade to next HAProxy version and see if I get different behaviour. BTW, I do have SNI enabled on the backend and on IIS.

Version of HAProxy in use : 1.8.25 on pFsense 2.4.5

That’s impossible, you probably didn’t fully removed all of the relevant health check configuration.

What’s missing in this thread is the check-sni configuration, so that a a static SNI value is used for health checks.

check-sni www1.example.org