Re-encryption getting: 504 Gateway Time-out

Gudjon · February 16, 2020, 6:15pm

Hi hope its OK to post this here.
I’m hawing problem configuring haproxy with re-encryption.
For some reason I need to re-encrypt all traffic to the backend servers.
I have tested the setup with no encryption to backend and that works fine.
But when use encryption I cet the error “504 Gateway Time-out”.
I can go straight to the backend server using http or https without problems.
Have tested to telnet from the proxy server to backend on 443 that is OK.
The urls are similar to this one "https://proxy.xxxxx.net/name/server/site/worker/xxxxx
The backends are IIS servers.
Am I doing something wrong or misunderstanding.

Would be great to get input and/or guidelines if someone has.

Version: HAProxy version 1.8.23-1ppa1~bionic, released 2019/11/26 running on Ubuntu.

Here is similar to what I have configured. Server names and paths changed.
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES25$
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
tune.ssl.default-dh-param 2048
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
defaults
log global
mode http
option httplog
option dontlognull

    timeout connect 25000ms
    timeout client 60000ms
    timeout server 60000ms
    timeout queue 60000ms
    timeout http-request 15000ms
    timeout http-keep-alive 15000ms
    option http-server-close

frontend http
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/haproxy_full.pem
#If path inclues begining defined in the acls file trafic is outed to prod_2
acl cond1 path_beg -i -f /etc/haproxy/customer-redirects.acls
use_backend prod_2 if cond1
default_backend prod_1

backend prod_1
mode http
#server prod_app1 prod_1.abc.net:80 check #Works as expected if I use 80
server prod_app1 prod_1.abc.net:443 check ssl verify none
#server prod_app1 prod_1.abc.net:443 check ca-file /etc/haproxy/certs/ca.complete.crt # used this one without success same error.

backend prod_2
mode http
server prod_app2 prod_2.abc.net:80 check
#server prod_app2 prod_2.abc.net:443 check ssl verify none #Not working

Topic		Replies	Views
HAProxy 1.8.4 504 Gateway Time-out Help!	2	7021	April 12, 2018
Problem with my backend Help!	4	1847	March 8, 2020
Random 502 Bad Gateway errors Help!	11	6869	November 14, 2017
Connection failure with transparent proxying Help!	0	387	November 22, 2021
Issue with ISS backend Help!	2	243	January 12, 2024

Re-encryption getting: 504 Gateway Time-out

Related Topics