HAProxy community

[noob alert] Basic configuration going wrong


#1

Hi everyone,

I’m trying to use haproxy instead of apache2 to setup a reverse proxy in my company.
I followed/compared some documentations to make my own haproxy.cfg

Haproxy is running on its own server, and has to redirect https requests on another web server. As you’ll see in the below configuration (i think) i redirect any http request on https.

The problem is that i get the “BAD REQUEST” error when trying to access my test website. The certificates seems to work because i can see it in my web browser, and i got no error about it in the log, however, in that /var/log/haproxy.log, i can only see that the request seems to be correctly redirected on the backend web server :

Jan 25 16:48:14 haproxyserver haproxy[5570]: 37.169.147.6:37646 [25/Jan/2019:16:48:14.100] localhost-443~ redirect-website1/webserver1:443 75/0/131 619 -- 1/1/0/0/0 0/0

What i’m doing wrong ? :cry:

For information, that process worked correctly reverse proxy by apache, but i can’t use it anymore since i have to setup another redirection for another domain, and apache2 can’t handle more than 1 public certificate (or maybe i’m doing something wrong too, but i’m not here for that, anyway haproxy seems to be a more convenient and powerful tool :wink: )

Find below the configuration file

Thanks in advance for your precious help!
Arnaud

Here is the complete haproxy.cfg, (commented!)

global
log /dev/log    local0
log /dev/log    local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
maxconn 4096
user haproxy
group haproxy
daemon


defaults
log     global
mode    tcp
option  tcplog
option  dontlognull
timeout connect 15s
timeout client  15s
timeout server  15s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http


frontend rvsproxyserver-80
bind *:80
	mode tcp
redirect scheme https code 301 if !{ ssl_fc } #redirect everything to https

frontend rvsproxyserver-443
bind *:443 ssl crt /var/www/certs/haproxy #concatened .pem certs location for websites
option tcplog
mode tcp

acl tls req.ssl_hello_type 1

tcp-request inspect-delay 5s
tcp-request content accept if tls

acl is_website1 hdr(host) website1   #simple acl1
acl is_website2 hdr(host) website2   #simple acl2   

use_backend redirect-website1 if is_website1 #declare backend1
	use_backend redirect-website2 if is_website2 #declare backend2


backend redirect-website1
mode tcp
option ssl-hello-chk
server webserver1 10.10.10.10:443 check #name and IP of my webserver1


backend redirect-website2
mode tcp
option ssl-hello-chk
server webserver2 10.11.11.11:443 check #name and IP of my webserver2

#2

You cannot use “mode tcp” when you want access the Host header for routing and issue redirects.

Remove TCP mode and it’s parameters and use http mode instead. Also your backend servers are SSL enabled (I guess, since their destination port is 443), so you must specify they ssl keyword on each server line.

Also read the warning and suggestion haproxy is emitting. Call the config checker haproxy -c -f /etc/path/to/haproxy.cfg.


#3

Thanks for your help!
I replaced “mode tcp” by “mode http” in frontend & backends.

OK! i modified the backend as well to specify the below options:

backend redirect-website2
    mode http
    option ssl-hello-chk
    server webserver1 10.10.10.10:443 ssl crt /var/www/certs/haproxy/cert1.pem verify none

The config checker returns “configuration file is valid”, it just warn me about the “tune.ssl.default-dh-param” which should be set to 2048

So it works now ! Thank you very much.