HAProxy community

[Solved] ERR_SSL_PROTOCOL_ERROR after switching to SSL passthrough

Hello community!

I’m posting here as I came across an issue that I’m not able to resolve and I’ve been searching around for a while now. I had a working config using SSL termination with 1 single frontend for 80 and 443 and 2 backends for 2 different websites. After enabling SSL passthrough the second website (site2) stopped working with the given error and I am not sure if it’s due to the tcp mode with an httpcheck in it at the backend level.

HAproxy version: haproxy/bionic-updates,bionic-security,now 1.8.8-1ubuntu0.10

HAproxy config

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 2000
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

defaults
log global
mode http
option httplog
option dontlognull
#option forwardfor
option redispatch
option http-server-close
timeout connect 5000
timeout client 50000
timeout server 50000
timeout tunnel 3600s
timeout http-keep-alive 1s
timeout http-request 15s
timeout queue 30s
timeout tarpit 60s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend http_in
mode http
option httplog
bind *:80
option forwardfor
redirect scheme https if !{ ssl_fc }

frontend https_in
mode tcp
option tcplog
bind *:443
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 5s
tcp-request content accept if tls
stats uri /haproxy?stats

	acl is_websocket path_beg -i /api
	acl host_calabrio req.ssl_sni -i site1.domain.com
        acl host_ece req.ssl_sni -i site2.domain.com

	use_backend api_back_calabrio if is_websocket
	use_backend https_back_calabrio if host_calabrio
	use_backend https_back_ece if host_ece

#Calabrio backend https
backend https_back_calabrio
mode tcp
option ssl-hello-chk
cookie JSESSIONID prefix nocache
default-server inter 3000 fall 2
server CLBPC1-LAB2-1 172.20.104.52:443 check cookie s1
server CLBPC2-LAB2-1 172.21.104.52:443 check backup cookie s2

#Calabrio backend API
backend api_back_calabrio
default-server inter 3000 fall 2
server CLBPC1-LAB2-1 172.20.104.52:8888 check
server CLBPC2-LAB2-1 172.21.104.52:8888 check backup

#Cisco ECE backend https
backend https_back_ece
mode tcp
option ssl-hello-chk
option httpchk HEAD /default
http-check expect ! rstatus ^5
cookie JSESSIONID prefix nocache
default-server inter 3000 fall 2
server ECE1-LAB2-1 172.20.206.45:443 check ssl verify none cookie s1
server ECE2-LAB2-1 172.21.206.45:443 check ssl backup verify none cookie s2

The backend that is not working is “backend https_back_ece” and the log entry with the issue is the following:

Apr 30 12:50:29 CLB1-LAB2-1 haproxy[1477]: 192.168.151.36:55267 [30/Apr/2020:12:50:28.995] https_in https_back_ece/ECE1-LAB2-1 1/0/47 505 – 11/11/0/0/0 0/0

The first backend is working without issues.

Any clue on why it’s giving back the SSL protocol error?

Thank you!
Tofaz

Because you instructed haproxy to encrypt the already encrypted traffic once again, by using the ssl keyword.

If you did that for healtchecking with SSL, just use check-ssl instead of ssl in that backend.

What I also noticed which will never work is:

acl is_websocket path_beg -i /api
use_backend api_back_calabrio if is_websocket

This traffic is encrypted, you cannot see what HTTP request headers like parts of the URI.

Hey lukastribus,

Thank you for your response and it fixed the issue! Fun part I didn’t know that it was that easy!

The only problem is that the checks are not working anymore are the stats are reporting “no check” for these 2 backends.

For the API acl I think it is due to the fact that the previous configuration was with SSL termination, so now I have to figure something out on how to make it work with SSL passthrough.

I said replace ssl with check-ssl, so you need to have check check-ssl in your configuration:

server ECE1-LAB2-1 172.20.206.45:443 check check-ssl verify none cookie s1
server ECE2-LAB2-1 172.21.206.45:443 check check-ssl backup verify none cookie s2

Is that the case?

My bad! I have modified the backend checks as shown and it is now working correctly!

Thank you!