I’ve been using HAproxy for just under two weeks - so please be gentle… I’m using it load-balance RDP hosts. Doing that with just 3389 works like a dream. But I’m having trouble with the SSL termination method.
I used openssl to create a self-sign certificate on my HAproxy, and then used this as the HAproxy.cfg file
global
log 127.0.0.1:514 local0
maxconn 4096
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!3DES:!DH:!PSK:!RC4:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!LOW:!SSLv2
defaults
log global
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend ft_rdp
mode tcp
bind :443 ssl crt /etc/haproxy/certs/haproxy.pem
timeout client 1h
tcp-request inspect-delay 2s
tcp-request content accept if RDP_COOKIE
default_backend bk_rdp
backend bk_rdp
mode tcp
balance leastconn
timeout server 1h
timeout connect 4s
stick-table type string len 32 size 10k expire 8h
stick on rdp_cookie(mstshash)
option tcp-check
tcp-check connect port 3389
default-server inter 30s rise 2 fall 3
server rdp-server1 192.168.1.101:3389 check-ssl verify none
server rdp-server2 192.168.1.102:3389 check-ssl verify none
The config file validates and the service starts but I’m unable to make connections using the Microsoft RDP client…
Any thoughts or suggestions?