NOSRV/BADREQ with HAProxy and Letsencrypt

Help!
1

Hello there.

I am using Haproxy as frontend loadbalancer, version: 1.5.4 2014/09/02
Backend is on the same server, an apache:8080 running on Centos6.

Now I am trying to migrate this website to https using letsencrypt.
I have installed the certs through Certbot.
Then concatenated fullchain.pem and privkey.pem and placed it in /etc/haproxy dir as instructed on certbot and various other sites.
I have not yet setup the renew, as I want to test this out first. I hope that’s fine.

So all that appears to go fine.

However when I try to browse the website, following happens:

  1. The web-app’s login page redirect to https OK, but when I enter user credential and do submit, the url redirects to https://<domain>:80 and it throws error ERR_SSL_PROTOCOL_ERROR and on the server side

  2. On the server, I see below in haproxy log:

http http/<NOSRV> -1/-1/-1/-1/0 400 187 - - PR-- 2/0/0/0/0 0/0 "<BADREQ>"

Appreciate any direction on this.

Here is my haproxy.cfg file.

global
  tune.ssl.default-dh-param 2048

defaults
    mode   http
    option http-server-close
    option forwardfor

frontend http
   bind *:80
   reqadd X-Forwarded-Proto:\ http
   default_backend app

frontend https
    bind *:443 ssl crt /etc/haproxy/certs/<domain>.pem
    reqadd X-Forwarded-Proto:\ https
    default_backend app

backend app
    redirect scheme https if !{ ssl_fc }
    server  apache  127.0.0.1:8080 maxconn 50 check
2

That’s your application making a bogus redirect (HTTPS to port 80). Make sure your application knows that you are already forcing HTTPS on haproxy and disable any redirects from the application.

1 Like
3

Thanks for the input.
I am checking the app code.

However, this problem isn’t there when I used apache to handle SSL and used RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [L,NE,R=permanent].

Would apache’s RewriteEngine work differently from HAProxy’s redirect scheme https ?

4

I don’t know. You need to check the application.

5

How do you say that?
I need some more help as I don’t know where to look.
I grep’ed through my php server code for “SERVER_PORT”, it’s not used anywhere.

6

Look for redirects, not SERVER_PORT

7

Well, there are many redirects like: $this->redirect('<module>/<action>');
Should I be searching for $this->redirect('<module>/<action>'):80 ?

8

Other URLs in the app are working fine.

I disabled redirect scheme https, to login to the app over http. The login session cookie gets set.

Then enabled redirect back. Now I am able to browse the complete app, all pages/urls over https.

There is something in the user login part of the app… no clue yet…still looking.

9

Still no clue why “/” url access has problem.

redirect scheme https disabled:

http app/apache 0/0/0/26/26 200 7525 - - ---- 2/2/0/1/0 0/0 "GET / HTTP/1.1
http app/apache 1/0/0/24/27 200 8341 - - ---- 2/2/0/1/0 0/0 "POST / HTTP/1.1

redirect scheme https enabled:
As it can be seen, the url redirects back to itself instead of proceeding to next step.

http~ app/apache 110/0/0/23/133 200 7525 - - ---- 2/2/0/1/0 0/0 "GET / HTTP/1.1
http app/<NOSRV> 0/-1/-1/-1/0 302 121 - - LR-- 3/3/0/0/3 0/0 "POST / HTTP/1.1
http~ app/apache 2690/0/0/24/2714 200 7525 - - ---- 3/3/0/1/0 0/0 "GET / HTTP/1.1"

10

Got this finally.
It was about HAProxy https redirect of POST queries.

Thank you @lukastribus ; you nudged me in the right direction.