Log-forward ssl termination error

Hi Everyone,

I’d like to set up SSL termination for a log-forwarder but I’m having trouble getting it to work. According to the HAProxy 2.4 documentation, the ssl bind parameter should work in a log-forward section but when I connect to it using an SSL client, it just hangs. As a work around I set up a separate listener to do ssl termination and that works but I’d rather avoid the secondary hop. Here’s my config:

global
  maxconn 1000

defaults
  timeout client 30s

log-forward my-forwarder
  bind *:3514
  bind *:36514 ssl crt /path/to/cert
  log  stdout format rfc5424 local0

listen tls-terminator
  bind            *:9999 ssl crt /path/to/cert
  timeout connect 10s
  timeout server  30s
  server          s1 127.0.0.1:3514

I can connect to port 9999 using SSL but connections to port 36514 hang. Do you have any idea what the problem might be?

Hello,

Are you sure the port 36514 is open ?

Yes, the port is open (actually I’m using port 36514 to avoid using a privileged port - updated config in original post to reflect this).

Here’s the result of using openssl s_client to connect to port 36514:

$ openssl s_client -connect <server-ip-address>:36514
CONNECTED(00000003)

And here’s the result of connecting to an unopened port for comparison:

$ openssl s_client -connect <server-ip-address>:36515
139761646713672:error:0200206F:system library:connect:Connection refused:crypto/bio/b_sock2.c:110:
139761646713672:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
connect:errno=111

Hello @amorey

I was able to reproduce this behavior and can’t make it work too.

I tried with newer version but same result.

@rhada Great, thanks for trying! I’ll wait a bit to see if anyone else here has any suggestions on how to fix the problem. Otherwise I’ll file a bug report.