Proxy Protocol - PR_END_OF_FILE_ERROR

Help!
1

Debian 11
haproxy 2.2.9-2+deb11u3

I have a basic haproxy.cfg working as expected and it’s forwarding ssl to the backend

The apache backend sees the proxy IP not the original client’s IP so I change the final line to

server test 10.0.0.119:443 send-proxy

After this change I no longer have access to the apache backend, there’s nothing in the apache access.log

haproxy.log gives

Nov 19 09:35:15 ip-10-0-0-131 haproxy[8149]: client.ip.add:34224 [19/Nov/2022:09:35:15.198] ssl_relay apache_webservers/test 2/2/+3 +0 -- 1/1/1/1/0 0/0
Nov 19 09:35:15 ip-10-0-0-131 haproxy[8149]: client.ip.add:34224 [19/Nov/2022:09:35:15.198] ssl_relay apache_webservers/test 2/2/+3 +0 -- 1/1/1/1/0 0/0

The browser shows me Error code: PR_END_OF_FILE_ERROR

haproxy.cfg:

global
        log /dev/log    local0 debug
        log /dev/log    local1 debug #notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA>
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
        log     global
        mode    tcp
        option logasap
        option tcplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend ssl_relay
        bind *:443
        mode tcp
        option tcplog
        default_backend apache_webservers

        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }

backend apache_webservers
        mode tcp
        server test 10.0.0.119:443

Any idea what I’m missing?

Thanks

2

I’m also trying to figure out how to do this with Apache. I have found this HAProxy article about the PROXY Protocol and have found that there’s a version 1 and version 2 of the protocol. You’re implementing v1 with “send-proxy”, but to implement the v2 option you would change that to “send-proxy-v2” in HAProxy.

I’m also using HAProxy with “mode tcp” and have been able to get this working with Nginx, but not Apache yet. To make this work you will have to make configure changes to both HAProxy & Apache config. All I have found for Apache, is this link about the mod_remoteip module which I’m trying to figure out now. Please share if you find anything to configure the Apache side of this.

3

This needs backend server support and configuration. I don’t know whether or not Apache supports the proxy procotol and how to enable it.

You’d have to research this in the Apache documentation/communities.

4

To start with this is with apache2 2.4.54-1~deb11u1

I found this link very helpful

In apache2.conf change the LogFormat so it reads

LogFormat "%a %l %u %t \"%r\" %>s %O \"%{Referer}i\" \"%{User-Agent}i\"" combined

Then I created /etc/apache2/conf-enabled/remoteip.conf with the IP of the HAProxy server

RemoteIPHeader X-Forwarded-For
RemoteIPTrustedProxy 10.0.0.131

Then

sudo a2enmod remoteip
sudo a2enconf remoteip.conf

Then I copied my /etc/apache2/sites-available/server-ssl.conf to /etc/apache2/sites-available/server-8443.conf because the next step would take 443 offline which isn’t useful during setup. In the new site I changed to read

Listen 0.0.0.0:8443

<VirtualHost *:8443>
...
...
   RemoteIPProxyProtocol On
...

Then enabled the new settings

sudo a2ensite server-8443.conf

Finally in haproxy.cfg I ended up using

server test 10.0.0.119:8443 send-proxy-v2

Hope this helps. Nginx is much simpler

5

I’m having trouble getting this to work. I’m not using Debian, and am using RockyLinux. After following everything here, I’m now getting the PR_END_OF_FILE_ERROR, so does anyone have any suggestions? Please help!

6

Anyone else on RockyLinux (or another Redhat-based distro) running into this same issue?

7

The “PR_END_OF_FILE_ERROR” typically indicates an SSL/TLS handshake failure, which can be related to proxy issues. Ensure your proxy settings are correctly configured and that the proxy server supports the required SSL/TLS protocols. Clear your browser’s cache and SSL state, and verify that the system date and time are accurate. If you’re using a proxy, try bypassing it or reconfiguring it. Additionally, check for any recent changes or updates to your proxy or network configuration that might be affecting the connection.

If you are still facing the issue i will refer this article to resolve.