Log-forward ssl termination error

Hi Everyone,

I’d like to set up SSL termination for a log-forwarder but I’m having trouble getting it to work. According to the HAProxy 2.4 documentation, the ssl bind parameter should work in a log-forward section but when I connect to it using an SSL client, it just hangs. As a work around I set up a separate listener to do ssl termination and that works but I’d rather avoid the secondary hop. Here’s my config:

  maxconn 1000

  timeout client 30s

log-forward my-forwarder
  bind *:3514
  bind *:36514 ssl crt /path/to/cert
  log  stdout format rfc5424 local0

listen tls-terminator
  bind            *:9999 ssl crt /path/to/cert
  timeout connect 10s
  timeout server  30s
  server          s1

I can connect to port 9999 using SSL but connections to port 36514 hang. Do you have any idea what the problem might be?


Are you sure the port 36514 is open ?

Yes, the port is open (actually I’m using port 36514 to avoid using a privileged port - updated config in original post to reflect this).

Here’s the result of using openssl s_client to connect to port 36514:

$ openssl s_client -connect <server-ip-address>:36514

And here’s the result of connecting to an unopened port for comparison:

$ openssl s_client -connect <server-ip-address>:36515
139761646713672:error:0200206F:system library:connect:Connection refused:crypto/bio/b_sock2.c:110:
139761646713672:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:

Hello @amorey

I was able to reproduce this behavior and can’t make it work too.

I tried with newer version but same result.

@rhada Great, thanks for trying! I’ll wait a bit to see if anyone else here has any suggestions on how to fix the problem. Otherwise I’ll file a bug report.

Hello All, i have the same situation that syslog tls is not working. Port is open but times out. I have also tried with a separate listener (see post of amorey) but i only get a bad request.

Has anybody solved the problem in any way?