Hi Team,
We would like to use haproxy ingress 1.7 on kubernetes to listen on 55560 port for https connection.
Could you please assist in this regard?
Here is my haproxy.cfg file. When trying to access, getting curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection error.
Https on 443 works fine.
# _version=5
# HAProxy Technologies
# https://www.haproxy.com/
# this file is not meant to be changed directly
# it is under haproxy ingress controller management
global
localpeer local
master-worker
pidfile /var/run/haproxy.pid
stats socket /var/run/haproxy-runtime-api.sock expose-fd listeners level admin
stats timeout 1m
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tls-tickets no-tlsv10
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
log stdout format raw daemon
server-state-file global
server-state-base /var/state/haproxy/
defaults
log global
log-format '%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs "%HM %[var(txn.base)] %HV"'
option redispatch
option dontlognull
option http-keep-alive
timeout http-request 5s
timeout connect 5s
timeout client 50s
timeout queue 5s
timeout server 50s
timeout tunnel 1h
timeout http-keep-alive 1m
load-server-state-from-file global
peers localinstance
peer local 127.0.0.1:10000
frontend healthz
mode http
bind 0.0.0.0:1042 name v4
bind :::1042 name v6 v4v6
monitor-uri /healthz
option dontlog-normal
frontend http
mode http
bind 0.0.0.0:80 name v4
bind :::80 name v6
tcp-request connection expect-proxy layer4 if { src -f /etc/haproxy/maps/proxy-protocol-827c05ecc804eacf23a63899ca0ffcf6.map }
http-request set-var(txn.base) base
http-request set-var(txn.path) path
http-request set-var(txn.host) req.hdr(Host),field(1,:),lower
http-request set-var(txn.host_match) var(txn.host),map(/etc/haproxy/maps/host.map)
http-request set-var(txn.host_match) var(txn.host),regsub(^[^.]*,,),map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host_match) -m found }
http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map)
http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.path_match) -m found }
use_backend %[var(txn.path_match),field(1,.)]
default_backend default-default-ingress-default-backend-port-1
frontend https
mode http
bind 127.0.0.1:443 name v4 accept-proxy
bind ::1:443 name v6 v4v6 accept-proxy
http-request set-var(txn.base) base
http-request set-var(txn.path) path
http-request set-var(txn.host) req.hdr(Host),field(1,:),lower
http-request set-var(txn.host_match) var(txn.host),map(/etc/haproxy/maps/host.map)
http-request set-var(txn.host_match) var(txn.host),regsub(^[^.]*,,),map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host_match) -m found }
http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map)
http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.path_match) -m found }
http-request set-header X-Forwarded-Proto https
use_backend %[var(txn.path_match),field(1,.)]
default_backend default-default-ingress-default-backend-port-1
frontend ssl
mode tcp
bind 0.0.0.0:443 name v4
bind :::443 name v6 v4v6
log-format '%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs haproxy.MAP_SNI: %[var(sess.sni)]'
tcp-request content reject if !{ req_ssl_hello_type 1 }
tcp-request inspect-delay 50000
tcp-request connection expect-proxy layer4 if { src -f /etc/haproxy/maps/proxy-protocol-827c05ecc804eacf23a63899ca0ffcf6.map }
tcp-request content set-var(sess.sni) req_ssl_sni
tcp-request content set-var(txn.sni_match) req_ssl_sni,map(/etc/haproxy/maps/sni.map)
tcp-request content set-var(txn.sni_match) req_ssl_sni,regsub(^[^.]*,,),map(/etc/haproxy/maps/sni.map)
use_backend %[var(txn.sni_match),field(1,.)]
default_backend ssl
frontend stats
mode http
bind *:1024
bind :::1024 name v6
stats enable
stats uri /
stats refresh 10s
http-request set-var(txn.base) base
http-request use-service prometheus-exporter if { path /metrics }
frontend tcp-55560
mode tcp
bind 0.0.0.0:55560 name v4
bind :::55560 name v6 v4v6
option tcplog
default_backend default-rapid-po-service-55560
backend default-ic-http-service-80
mode http
balance roundrobin
option forwardfor
default-server init-addr last,libc,none
server SRV_1 xxxxxxxxxxx.com:80 check weight 128
backend default-default-ingress-default-backend-port-1
mode http
balance roundrobin
option forwardfor
server SRV_1 xx.xxx.xx.xx:8080 check weight 128
server SRV_2 127.0.0.1:8080 disabled check weight 128
server SRV_3 127.0.0.1:8080 disabled check weight 128
server SRV_4 127.0.0.1:8080 disabled check weight 128
server SRV_5 127.0.0.1:8080 disabled check weight 128
server SRV_6 127.0.0.1:8080 disabled check weight 128
server SRV_7 127.0.0.1:8080 disabled check weight 128
server SRV_8 127.0.0.1:8080 disabled check weight 128
server SRV_9 127.0.0.1:8080 disabled check weight 128
server SRV_10 127.0.0.1:8080 disabled check weight 128
server SRV_11 127.0.0.1:8080 disabled check weight 128
server SRV_12 127.0.0.1:8080 disabled check weight 128
server SRV_13 127.0.0.1:8080 disabled check weight 128
server SRV_14 127.0.0.1:8080 disabled check weight 128
server SRV_15 127.0.0.1:8080 disabled check weight 128
server SRV_16 127.0.0.1:8080 disabled check weight 128
server SRV_17 127.0.0.1:8080 disabled check weight 128
server SRV_18 127.0.0.1:8080 disabled check weight 128
server SRV_19 127.0.0.1:8080 disabled check weight 128
server SRV_20 127.0.0.1:8080 disabled check weight 128
server SRV_21 127.0.0.1:8080 disabled check weight 128
server SRV_22 127.0.0.1:8080 disabled check weight 128
server SRV_23 127.0.0.1:8080 disabled check weight 128
server SRV_24 127.0.0.1:8080 disabled check weight 128
server SRV_25 127.0.0.1:8080 disabled check weight 128
server SRV_26 127.0.0.1:8080 disabled check weight 128
server SRV_27 127.0.0.1:8080 disabled check weight 128
server SRV_28 127.0.0.1:8080 disabled check weight 128
server SRV_29 127.0.0.1:8080 disabled check weight 128
server SRV_30 127.0.0.1:8080 disabled check weight 128
server SRV_31 127.0.0.1:8080 disabled check weight 128
server SRV_32 127.0.0.1:8080 disabled check weight 128
server SRV_33 127.0.0.1:8080 disabled check weight 128
server SRV_34 127.0.0.1:8080 disabled check weight 128
server SRV_35 127.0.0.1:8080 disabled check weight 128
server SRV_36 127.0.0.1:8080 disabled check weight 128
server SRV_37 127.0.0.1:8080 disabled check weight 128
server SRV_38 127.0.0.1:8080 disabled check weight 128
server SRV_39 127.0.0.1:8080 disabled check weight 128
server SRV_40 127.0.0.1:8080 disabled check weight 128
server SRV_41 127.0.0.1:8080 disabled check weight 128
server SRV_42 127.0.0.1:8080 disabled check weight 128
backend default-rapid-po-service-55560
mode tcp
balance roundrobin
default-server init-addr last,libc,none
server SRV_1 xxxxxxx:55560 check weight 128
backend default-rapid-service-44448
mode tcp
balance roundrobin
default-server init-addr last,libc,none
server SRV_1 xxxxxxxxxx:44448 check weight 128
backend default-sample-http-service-80
mode http
balance roundrobin
option forwardfor
default-server init-addr last,libc,none
server SRV_1 xxxxxxxxxxxx:80 check weight 128
backend default-sample-https-service-443
mode tcp
balance roundrobin
default-server init-addr last,libc,none
server SRV_1 xxxxxxxxxxxx:443 check weight 128
backend ssl
mode tcp
server https 127.0.0.1:443 send-proxy-v2
Regards,
Kalyan