HAProxy community

Problem with MariaDB connections to servers connected to HAProxy


#1

I have successfully (for the most part) setup my server farm to use HAProxy for the 2 servers I have. But I’m running into more problems. I have it successfully redirecting to HTTPS when possible, however the server is still returning a lot of elements in HTTP (non-SSL). Now I can’t make any connections to a MariaDB server on the same LAN.

I’ve checked my permissions. I’ve pinged all servers involved they are able to see each other. And even went as far as to whitelist the user for the entire LAN subnet, and it refuses the connection. If I use a server that is not involved in the HAProxy configuration. It connects fine using the exact same user information. Can anyone tell me why this is happening, how to fix it, and also help me to verify my configuration is only displaying assets in HTTPS.

Here is my configuration:

global
log /dev/log    local0
log /dev/log    local1 notice
#chroot /var/lib/haproxy
stats timeout 5s
user root
group root
daemon

ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
ssl-default-bind-options no-sslv3

defaults
log     global
mode    http
option  forwardfor
option  http-server-close
option  httplog
option  dontlognull
timeout connect 1000
timeout client  1000
timeout server  1000

errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

listen admin_stats 127.0.0.1:8080
mode http
stats enable
stats uri /haproxy-stats
stats refresh 10s
stats realm HAProxy\ Statistics
stats auth admin:password

frontend http
    bind 0.0.0.0:80
    option forwardfor
    default_backend webtraffic

frontend ssl-traffic
    mode tcp
    bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/domain.com.pem
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    default_backend webtraffic

backend webtraffic
    server server1 10.5.0.10:80 check
    server server2 10.5.0.11:80 check
    server server3 10.5.0.12:80 check
    server server4 10.5.0.13:80 check

For obvious reasons I’ve changed my domain name.


#2

I’m afraid you are gonna have to tackle this on the backend side. If you switch to http mode you can set a header like X-Forwarded-Proto: https, which can help your application application understand that the request is HTTPS already, but really it is the backend application where this needs to happen.

Haproxy does not have anything todo with your MariaDB setup. You are decrypting HTTPS and sending HTTP to the servers, that’s it. It has nothing to do with your database.