[Solved] ERR_SSL_PROTOCOL_ERROR after switching to SSL passthrough

Help!
1

Hello community!

I’m posting here as I came across an issue that I’m not able to resolve and I’ve been searching around for a while now. I had a working config using SSL termination with 1 single frontend for 80 and 443 and 2 backends for 2 different websites. After enabling SSL passthrough the second website (site2) stopped working with the given error and I am not sure if it’s due to the tcp mode with an httpcheck in it at the backend level.

HAproxy version: haproxy/bionic-updates,bionic-security,now 1.8.8-1ubuntu0.10

HAproxy config

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 2000
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

defaults
log global
mode http
option httplog
option dontlognull
#option forwardfor
option redispatch
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
timeout tunnel 3600s
timeout http-keep-alive 1s
timeout http-request 15s
timeout queue 30s
timeout tarpit 60s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend http_in
mode http
option httplog
bind *:80
option forwardfor
redirect scheme https if !{ ssl_fc }

frontend https_in
mode tcp
option tcplog
bind *:443
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 5s
tcp-request content accept if tls
stats uri /haproxy?stats

	acl is_websocket path_beg -i /api
	acl host_calabrio req.ssl_sni -i site1.domain.com
        acl host_ece req.ssl_sni -i site2.domain.com

	use_backend api_back_calabrio if is_websocket
	use_backend https_back_calabrio if host_calabrio
	use_backend https_back_ece if host_ece

#Calabrio backend https
backend https_back_calabrio
mode tcp
option ssl-hello-chk
cookie JSESSIONID prefix nocache
default-server inter 3000 fall 2
server CLBPC1-LAB2-1 172.20.104.52:443 check cookie s1
server CLBPC2-LAB2-1 172.21.104.52:443 check backup cookie s2

#Calabrio backend API
backend api_back_calabrio
default-server inter 3000 fall 2
server CLBPC1-LAB2-1 172.20.104.52:8888 check
server CLBPC2-LAB2-1 172.21.104.52:8888 check backup

#Cisco ECE backend https
backend https_back_ece
mode tcp
option ssl-hello-chk
option httpchk HEAD /default
http-check expect ! rstatus ^5
cookie JSESSIONID prefix nocache
default-server inter 3000 fall 2
server ECE1-LAB2-1 172.20.206.45:443 check ssl verify none cookie s1
server ECE2-LAB2-1 172.21.206.45:443 check ssl backup verify none cookie s2

The backend that is not working is “backend https_back_ece” and the log entry with the issue is the following:

Apr 30 12:50:29 CLB1-LAB2-1 haproxy[1477]: 192.168.151.36:55267 [30/Apr/2020:12:50:28.995] https_in https_back_ece/ECE1-LAB2-1 1/0/47 505 – 11/11/0/0/0 0/0

The first backend is working without issues.

Any clue on why it’s giving back the SSL protocol error?

Thank you!
Tofaz

2

Because you instructed haproxy to encrypt the already encrypted traffic once again, by using the ssl keyword.

If you did that for healtchecking with SSL, just use check-ssl instead of ssl in that backend.

What I also noticed which will never work is:

acl is_websocket path_beg -i /api
use_backend api_back_calabrio if is_websocket

This traffic is encrypted, you cannot see what HTTP request headers like parts of the URI.

3

Hey lukastribus,

Thank you for your response and it fixed the issue! Fun part I didn’t know that it was that easy!

The only problem is that the checks are not working anymore are the stats are reporting “no check” for these 2 backends.

For the API acl I think it is due to the fact that the previous configuration was with SSL termination, so now I have to figure something out on how to make it work with SSL passthrough.

4

I said replace ssl with check-ssl, so you need to have check check-ssl in your configuration:

server ECE1-LAB2-1 172.20.206.45:443 check check-ssl verify none cookie s1
server ECE2-LAB2-1 172.21.206.45:443 check check-ssl backup verify none cookie s2

Is that the case?

5

My bad! I have modified the backend checks as shown and it is now working correctly!

Thank you!