Hi hope its OK to post this here.
I’m hawing problem configuring haproxy with re-encryption.
For some reason I need to re-encrypt all traffic to the backend servers.
I have tested the setup with no encryption to backend and that works fine.
But when use encryption I cet the error “504 Gateway Time-out”.
I can go straight to the backend server using http or https without problems.
Have tested to telnet from the proxy server to backend on 443 that is OK.
The urls are similar to this one "https://proxy.xxxxx.net/name/server/site/worker/xxxxx
The backends are IIS servers.
Am I doing something wrong or misunderstanding.
Would be great to get input and/or guidelines if someone has.
Version: HAProxy version 1.8.23-1ppa1~bionic, released 2019/11/26 running on Ubuntu.
Here is similar to what I have configured. Server names and paths changed.
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES25$
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
tune.ssl.default-dh-param 2048
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 25000ms
timeout client 60000ms
timeout server 60000ms
timeout queue 60000ms
timeout http-request 15000ms
timeout http-keep-alive 15000ms
option http-server-close
frontend http
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/haproxy_full.pem
#If path inclues begining defined in the acls file trafic is outed to prod_2
acl cond1 path_beg -i -f /etc/haproxy/customer-redirects.acls
use_backend prod_2 if cond1
default_backend prod_1
backend prod_1
mode http
#server prod_app1 prod_1.abc.net:80 check #Works as expected if I use 80
server prod_app1 prod_1.abc.net:443 check ssl verify none
#server prod_app1 prod_1.abc.net:443 check ca-file /etc/haproxy/certs/ca.complete.crt # used this one without success same error.
backend prod_2
mode http
server prod_app2 prod_2.abc.net:80 check
#server prod_app2 prod_2.abc.net:443 check ssl verify none #Not working