@lukastribus Yep. True. HAProxy now sees the backend. Very silly of me.
Now I can see requests coming in from HAProxy via nginx access logs, however; everything coming from HAProxy just shows a bunch of hex values in the nginx access log…
10.1.51.30 - - [11/Jul/2018:14:43:18 -0400] "\x16\x03\x01\x00\xC0\x01\x00\x00\xBC\x03\x03\xA0P\xD8f\x97\xDF\xF0\xE04\xF6\xEB\xE1\xA1,\xB1w\xFC;\x0C\...truncated...\xCC\xA8\xC0\x13\xC0\x14\x00\x9C\x00\x9D\x00/\x005\x00" 400 166 "-" "-"
I’ve googled around trying to figure out what this means but… No luck.
Running an ssllabs test against any of my domains shows that no security protocols are enabled. I only have TLS 1.2 enabled (following Mozilla’s Server Side TLS guide for Modern browser compatibility: https://wiki.mozilla.org/Security/Server_Side_TLS) - something funky is going on. Browsers either get a closed connection or a SSL_ERROR_RX_RECORD_TOO_LONG error. I know the .pem files I’m using are good. They are the same ones I was using for the few servers I had set up previously using https and ssl truncation at HAProxy. The certs are valid. I’ve tried from multiple devices and browsers and see the same results.
I’ve modified the nginx configuration slightly a few times regarding the SSL commands. Removing all of the ssl configuration lines (and just allowing nginx to handle SSL in its default way) still yields the same results.
If I cut HAProxy out of my stack and access the webserver directly (host file points the domain name to a specific internal IP) I am able to access my domains.
nginx config has ssl lines for the blechinger.io site commented out just for testing… Didn’t make any difference as stated above.
Is the HAProxy config not allowing HTTPS to reach the server? I had thought that:
| Browser request for x
| Firewall--> HAProxy
| | +---------------------------+
| +-> SNI Rules | |
| | V |
| +-> Proxy to x over port 80 --> nginx 301 return to port 443 -+
| +-> Proxy to y over port 80 |
| +-> Proxy to z over port 80 +--> nginx ssl over port 443 --> serve up x for browser
BUT it seems like I’m getting encrypted requests over port 80… Any idea what’s going on?
Changing some of the SSL only backends from port 80 to port 443 saw a slight improvement. I can now hit some domains some of the time. It seems that sometimes the wrong certificate is being used. Also: pterodactyl.blechinger.io is a completely different webserver from blechinger.io, however; it seems HAProxy is directing pterodactyl.blechinger.io to the blechinger.io webserver.