Reverse proxy HA (ssl) with forward proxy squid - SSL handshake fail

Hello community,

I’m trying to setup a reverse HAProxy to connect to a forward, LDAP auth based Squid. Both aplications run on the same machine and I have been able to make it work over http with the following config:

global
log 127.0.0.1:514 local2
daemon
maxconn 256

defaults
log global
mode http
option httplog
timeout connect 5s
timeout client 50s
timeout server 50s

frontend squid_front
bind *:3128

bind *:3128 ssl crt /etc/haproxy/cert.pem

mode http
use_backend squid1

backend squid1
mode http
balance roundrobin
option forwardfor
server squid1 127.0.0.1:3129 check port 3129 inter 2000 rise 2 fall 3

However, the second I turn on https, I get:

squid_front/1: SSL handshake failure

Using ssldump on port 3128 I see only:

1 0.0013 (0.0013) S>C TCP FIN
1 0.0021 (0.0007) C>S TCP FIN

and nothing in the squid logs.

cert.pem contains a crt and a key. I have double checked them both with openssl.

selinux is set to permissive and iptables allows all on port 3128.

It’s late, I’m tired, there must be something I’m not seeing or simply missing here.

Pls give me a hand.

haproxy -vv:
HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
OPTIONS = USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Seriously?

You cannot use two bind statements on the same port. You need to decice whether you want SSL on that port or not. Otherwise the kernel will randomly load-balance between the two.

@lukastribus that would be a typo. “bind *:3128” is actually commented out.

@IgorC yes, internal repos. I guess this should work with version 1.5.18 or?

I don’t see anything wrong with this. Share the full tcpdump capture of the request please (tcpdump -pns0 -w SSL-traffic.cap port 3128).

Can you confirm the client uses SSL to connect to this port?

@lukastribus

20:35:03.323280 IP client.11117 > haproxy.squid: Flags [S], seq 458754015, win 16383, options [mss 1446,nop,wscale 10,sackOK,TS val 548568259 ecr 0], length 0
20:35:03.323420 IP haproxy.squid > client.11117: Flags [S.], seq 3617059495, ack 458754016, win 28960, options [mss 1460,sackOK,TS val 989091338 ecr 548568259,nop,wscale 7], length 0
20:35:03.323689 IP client.11117 > haproxy.squid: Flags [.], ack 1, win 16, options [nop,nop,TS val 548568260 ecr 989091338], length 0
20:35:03.323726 IP client.11117 > haproxy.squid: Flags [P.], seq 1:164, ack 1, win 16, options [nop,nop,TS val 548568260 ecr 989091338], length 163
20:35:03.324073 IP haproxy.squid > client.11117: Flags [F.], seq 1, ack 164, win 235, options [nop,nop,TS val 989091338 ecr 548568260], length 0
20:35:03.324216 IP client.11117 > haproxy.squid: Flags [.], ack 2, win 16, options [nop,nop,TS val 548568261 ecr 989091338], length 0
20:35:03.324621 IP client.11117 > haproxy.squid: Flags [F.], seq 164, ack 2, win 16, options [nop,nop,TS val 548568261 ecr 989091338], length 0
20:35:03.324654 IP haproxy.squid > client.11117: Flags [.], ack 165, win 235, options [nop,nop,TS val 989091339 ecr 548568261], length 0

I’m using the folowing from the client:

curl -v -U myuser -x http://myproxy.url:3128 https://www.google.com
Enter proxy password for user ‘myuser’:
* About to connect() to proxy myproxy.url port 3128 (#0)
* Trying 1.2.3.4…
* Connected to myproxy.url (1.2.3.4) port 3128 (#0)
* Establish HTTP proxy tunnel to www.google.com:443
* Proxy auth using Basic with user ‘myuser’
> CONNECT www.google.com:443 HTTP/1.1
> Host: www.google.com:443
> Proxy-Authorization: Basic bXl1c2VyOm15cGFzcw==
> User-Agent: curl/7.29.0
> Proxy-Connection: Keep-Alive
>
* Proxy CONNECT aborted
* Connection #0 to host myproxy.url left intact
curl: (56) Proxy CONNECT aborted

Just what I thought, you are not instructing the client to use HTTPS:

-x http://myproxy.url:3128

You are saying here, connect via unencrypted HTTP to the proxy. This cannot work.

same goes for https.

I get the exact same error messages

Then do it with HTTPS while capturing the traffic and provide that file (no the CLI output, that’s useless).

as requested: https://kops-state-store-example.s3.amazonaws.com/SSL-traffic.cap

This is not SSL.

You have configured Haproxy for SSL, and the request that arrives is not SSL.

As per the curl documentation:

https://curl.haxx.se/docs/manpage.html#-x

HTTPS proxy support via https:// protocol prefix was added in 7.52.0 for OpenSSL, GnuTLS and NSS.

Unrecognized and unsupported proxy protocols cause an error since 7.52.0. Prior versions may ignore the protocol and use http:// instead.

So in other words, not only does your curl release not support SSL for proxies, it also silently falls back to plain text HTTP without an error.

I have installed curl 7.67.0 and can confirm haproxy is working properly without any changes to the aforementioned config. Thank you very much!

1 Like