Need help to route https traffic on custom ports

Hi Team,

We would like to use haproxy ingress 1.7 on kubernetes to listen on 55560 port for https connection.

Could you please assist in this regard?

Here is my haproxy.cfg file. When trying to access, getting curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection error.

Https on 443 works fine.

# _version=5

# HAProxy Technologies

# https://www.haproxy.com/

# this file is not meant to be changed directly

# it is under haproxy ingress controller management

global

  localpeer local

  master-worker

  pidfile /var/run/haproxy.pid

  stats socket /var/run/haproxy-runtime-api.sock expose-fd listeners level admin

  stats timeout 1m

  tune.ssl.default-dh-param 2048

  ssl-default-bind-options no-sslv3 no-tls-tickets no-tlsv10

  ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

  log stdout format raw daemon

  server-state-file global

  server-state-base /var/state/haproxy/

defaults

  log global

  log-format '%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs "%HM %[var(txn.base)] %HV"'

  option redispatch

  option dontlognull

  option http-keep-alive

  timeout http-request 5s

  timeout connect 5s

  timeout client 50s

  timeout queue 5s

  timeout server 50s

  timeout tunnel 1h

  timeout http-keep-alive 1m

  load-server-state-from-file global

peers localinstance

  peer local 127.0.0.1:10000

frontend healthz

  mode http

  bind 0.0.0.0:1042 name v4

  bind :::1042 name v6 v4v6

  monitor-uri /healthz

  option dontlog-normal

frontend http

  mode http

  bind 0.0.0.0:80 name v4

  bind :::80 name v6

  tcp-request connection expect-proxy layer4 if { src -f /etc/haproxy/maps/proxy-protocol-827c05ecc804eacf23a63899ca0ffcf6.map }

  http-request set-var(txn.base) base

  http-request set-var(txn.path) path

  http-request set-var(txn.host) req.hdr(Host),field(1,:),lower

  http-request set-var(txn.host_match) var(txn.host),map(/etc/haproxy/maps/host.map)

  http-request set-var(txn.host_match) var(txn.host),regsub(^[^.]*,,),map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host_match) -m found }

  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map)

  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.path_match) -m found }

  use_backend %[var(txn.path_match),field(1,.)]

  default_backend default-default-ingress-default-backend-port-1

frontend https

  mode http

  bind 127.0.0.1:443 name v4 accept-proxy

  bind ::1:443 name v6 v4v6 accept-proxy

  http-request set-var(txn.base) base

  http-request set-var(txn.path) path

  http-request set-var(txn.host) req.hdr(Host),field(1,:),lower

  http-request set-var(txn.host_match) var(txn.host),map(/etc/haproxy/maps/host.map)

  http-request set-var(txn.host_match) var(txn.host),regsub(^[^.]*,,),map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host_match) -m found }

  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map)

  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.path_match) -m found }

  http-request set-header X-Forwarded-Proto https

  use_backend %[var(txn.path_match),field(1,.)]

  default_backend default-default-ingress-default-backend-port-1

frontend ssl

  mode tcp

  bind 0.0.0.0:443 name v4

  bind :::443 name v6 v4v6

  log-format '%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs haproxy.MAP_SNI: %[var(sess.sni)]'

  tcp-request content reject if !{ req_ssl_hello_type 1 }

  tcp-request inspect-delay 50000

  tcp-request connection expect-proxy layer4 if { src -f /etc/haproxy/maps/proxy-protocol-827c05ecc804eacf23a63899ca0ffcf6.map }

  tcp-request content set-var(sess.sni) req_ssl_sni

  tcp-request content set-var(txn.sni_match) req_ssl_sni,map(/etc/haproxy/maps/sni.map)

  tcp-request content set-var(txn.sni_match) req_ssl_sni,regsub(^[^.]*,,),map(/etc/haproxy/maps/sni.map)

  use_backend %[var(txn.sni_match),field(1,.)]

  default_backend ssl

frontend stats

  mode http

  bind *:1024

  bind :::1024 name v6

  stats enable

  stats uri /

  stats refresh 10s

  http-request set-var(txn.base) base

  http-request use-service prometheus-exporter if { path /metrics }

frontend tcp-55560

  mode tcp

  bind 0.0.0.0:55560 name v4

  bind :::55560 name v6 v4v6

  option tcplog

  default_backend default-rapid-po-service-55560

backend default-ic-http-service-80

  mode http

  balance roundrobin

  option forwardfor

  default-server init-addr last,libc,none

  server SRV_1 xxxxxxxxxxx.com:80 check weight 128

backend default-default-ingress-default-backend-port-1

  mode http

  balance roundrobin

  option forwardfor

  server SRV_1 xx.xxx.xx.xx:8080 check weight 128

  server SRV_2 127.0.0.1:8080 disabled check weight 128

  server SRV_3 127.0.0.1:8080 disabled check weight 128

  server SRV_4 127.0.0.1:8080 disabled check weight 128

  server SRV_5 127.0.0.1:8080 disabled check weight 128

  server SRV_6 127.0.0.1:8080 disabled check weight 128

  server SRV_7 127.0.0.1:8080 disabled check weight 128

  server SRV_8 127.0.0.1:8080 disabled check weight 128

  server SRV_9 127.0.0.1:8080 disabled check weight 128

  server SRV_10 127.0.0.1:8080 disabled check weight 128

  server SRV_11 127.0.0.1:8080 disabled check weight 128

  server SRV_12 127.0.0.1:8080 disabled check weight 128

  server SRV_13 127.0.0.1:8080 disabled check weight 128

  server SRV_14 127.0.0.1:8080 disabled check weight 128

  server SRV_15 127.0.0.1:8080 disabled check weight 128

  server SRV_16 127.0.0.1:8080 disabled check weight 128

  server SRV_17 127.0.0.1:8080 disabled check weight 128

  server SRV_18 127.0.0.1:8080 disabled check weight 128

  server SRV_19 127.0.0.1:8080 disabled check weight 128

  server SRV_20 127.0.0.1:8080 disabled check weight 128

  server SRV_21 127.0.0.1:8080 disabled check weight 128

  server SRV_22 127.0.0.1:8080 disabled check weight 128

  server SRV_23 127.0.0.1:8080 disabled check weight 128

  server SRV_24 127.0.0.1:8080 disabled check weight 128

  server SRV_25 127.0.0.1:8080 disabled check weight 128

  server SRV_26 127.0.0.1:8080 disabled check weight 128

  server SRV_27 127.0.0.1:8080 disabled check weight 128

  server SRV_28 127.0.0.1:8080 disabled check weight 128

  server SRV_29 127.0.0.1:8080 disabled check weight 128

  server SRV_30 127.0.0.1:8080 disabled check weight 128

  server SRV_31 127.0.0.1:8080 disabled check weight 128

  server SRV_32 127.0.0.1:8080 disabled check weight 128

  server SRV_33 127.0.0.1:8080 disabled check weight 128

  server SRV_34 127.0.0.1:8080 disabled check weight 128

  server SRV_35 127.0.0.1:8080 disabled check weight 128

  server SRV_36 127.0.0.1:8080 disabled check weight 128

  server SRV_37 127.0.0.1:8080 disabled check weight 128

  server SRV_38 127.0.0.1:8080 disabled check weight 128

  server SRV_39 127.0.0.1:8080 disabled check weight 128

  server SRV_40 127.0.0.1:8080 disabled check weight 128

  server SRV_41 127.0.0.1:8080 disabled check weight 128

  server SRV_42 127.0.0.1:8080 disabled check weight 128

backend default-rapid-po-service-55560

  mode tcp

  balance roundrobin

  default-server init-addr last,libc,none

  server SRV_1 xxxxxxx:55560 check weight 128

backend default-rapid-service-44448

  mode tcp

  balance roundrobin

  default-server init-addr last,libc,none

  server SRV_1 xxxxxxxxxx:44448 check weight 128

backend default-sample-http-service-80

  mode http

  balance roundrobin

  option forwardfor

  default-server init-addr last,libc,none

  server SRV_1 xxxxxxxxxxxx:80 check weight 128

backend default-sample-https-service-443

  mode tcp

  balance roundrobin

  default-server init-addr last,libc,none

  server SRV_1 xxxxxxxxxxxx:443 check weight 128

backend ssl

  mode tcp

  server https 127.0.0.1:443 send-proxy-v2


Regards,
Kalyan

Hey,

you are stating, that you want HAproxy to listen on port 44444, but in the config you posted, I can not find that port anywhere.

I guess you either forgot to include this bit of configuration in your post, or, as something seems to respond on port 44444, that another process is maybe listening on this port?

I have updated the port, could you please suggest

Hmm, okay.

As far as I see in your config, you are using the TCP mode to just forward packets, but don’t actually terminate SSL on HAProxy, but pipe it through to kubernetes and terminate there.

Is your SRV_1 backend server expecting HTTPs-Traffiv on Port 55560?

From what I have seen on Google, this error could indicate, that you try speaking using HTTPs on a HTTP-connection.
Could that be the case here too?

Thanks for the reply.

I am expecting https traffic on port 55560. Could you please suggest how to use custom port for https traffic on haproxy-ingress.

Regards,
Kalyan