SSH termination config invalid after upgrade

Help!
1

I’ve been using HAProxy for SSL termination and reverse proxy on 1.5 for a while and have been trying to upgrade to 1.8.30 as a stepping stone to upgrading to 2.4. The installation was successful but HAProxy won’t start due to the following config file issues:

[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:16] : unknown keyword 'tune.ssl.default-dh-param' in 'global' section
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:17] : unknown keyword 'ssl-default-bind-ciphers' in 'global' section
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:18] : unknown keyword 'ssl-default-bind-options' in 'global' section
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:50] : 'listen' cannot handle unexpected argument '*:8080'.
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:50] : please use the 'bind' keyword for listening addresses.
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:85] : 'bind *:443' unknown keyword 'ssl'. Registered keywords :
    [STAT] level <arg>
    [STAT] expose-fd <arg>
    [STAT] severity-output <arg>
    [ TCP] defer-accept
    [ TCP] interface <arg>
    [ TCP] mss <arg>
    [ TCP] tcp-ut <arg>
    [ TCP] tfo
    [ TCP] transparent
    [ TCP] v4v6
    [ TCP] v6only
    [ ALL] accept-netscaler-cip <arg>
    [ ALL] accept-proxy
    [ ALL] backlog <arg>
    [ ALL] id <arg>
    [ ALL] maxconn <arg>
    [ ALL] name <arg>
    [ ALL] nice <arg>
    [ ALL] process <arg>
    [UNIX] gid <arg>
    [UNIX] group <arg>
    [UNIX] mode <arg>
    [UNIX] uid <arg>
    [UNIX] user <arg>
[WARNING] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:95] : a 'http-request' rule placed after a 'reqadd' rule will still be processed before.
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:115] : error detected in backend 'mydomain.com' while parsing redirect rule : error in condition: unknown fetch method 'ssl_fc' in ACL expression 'ssl_fc'.
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:128] : error detected in backend 'manage.mydomain.com' while parsing redirect rule : error in condition: unknown fetch method 'ssl_fc' in ACL expression 'ssl_fc'.
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:141] : error detected in backend 'my.mydomain.com' while parsing redirect rule : error in condition: unknown fetch method 'ssl_fc' in ACL expression 'ssl_fc'.
[ALERT] 230/113800 (7902) : parsing [/etc/haproxy/haproxy.cfg:152] : error detected in backend 'api.mydomain.com' while parsing redirect rule : error in condition: unknown fetch method 'ssl_fc' in ACL expression 'ssl_fc'.
[ALERT] 230/113800 (7902) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 230/113800 (7902) : Fatal errors found in configuration.

(I’ve hidden my actual domain)

My config file (which worked on 1.5) is as follows. All connections for my subdomains arrive at HAProxy, where SSL is terminated and requests are proxied to the appropriate web server.

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    log         127.0.0.1 local2     #Log configuration

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy             #Haproxy running under user and group "haproxy"
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats mode 600 level admin
    tune.ssl.default-dh-param 2048
    ssl-default-bind-ciphers TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11


#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    15s
    timeout queue           30s
    timeout connect         5s
    timeout client          25s
    timeout server          5m
    timeout http-keep-alive 1s
    timeout check           10s
    timeout tunnel          3600s
    timeout tarpit          60s
    backlog                 10000
    maxconn                 3000

#---------------------------------------------------------------------
#HAProxy Monitoring Config
#---------------------------------------------------------------------
listen haproxy3-monitoring *:8080                #Haproxy Monitoring run on port 8080
    mode http
    option forwardfor
    option httpclose
    stats enable
    stats show-legends
    stats refresh 5s
    stats uri /stats                             #URL for HAProxy monitoring
    stats realm Haproxy\ Statistics
    stats admin if TRUE

#---------------------------------------------------------------------
# FrontEnd Configuration
#---------------------------------------------------------------------
frontend www-http
    bind *:80
    reqadd X-Forwarded-Proto:\ http
    option http-server-close
    option forwardfor
    acl website_www hdr(host) -i www.staging.mydomain.com
    acl website_blank hdr(host) -i staging.mydomain.com
    acl app_api hdr(host) -i api.staging.mydomain.com
    acl app_my hdr(host) -i my.staging.mydomain.com
    acl legacy_manage hdr(host) -i manage.staging.mydomain.com

    use_backend mydomain.com if website_www
    use_backend mydomain.com if website_blank
    use_backend api.mydomain.com if app_api
    use_backend my.mydomain.com if app_my
    use_backend manage.mydomain.com if legacy_manage

    default_backend mydomain.com

frontend www-https
   bind *:443 ssl crt /etc/haproxy/newcert.pem
   reqadd X-Forwarded-Proto:\ https
   acl website_www hdr(host) -i www.staging.mydomain.com
   acl website_blank hdr(host) -i staging.mydomain.com
   acl app_api hdr(host) -i api.staging.mydomain.com
   acl app_my hdr(host) -i my.staging.mydomain.com
   acl legacy_manage hdr(host) -i manage.staging.mydomain.com

   acl block_trace_request method TRACE
   http-request deny if block_trace_request

   use_backend mydomain.com if website_www
   use_backend mydomain.com if website_blank
   use_backend api.mydomain.com if app_api
   use_backend my.mydomain.com if app_my
   use_backend manage.mydomain.com if legacy_manage

   default_backend mydomain.com

#---------------------------------------------------------------------
# BackEnds
#---------------------------------------------------------------------

backend mydomain.com
    http-response set-header X-Frame-Options: DENY
    http-response set-header X-XSS-Protection: 1;mode=block
    http-response set-header X-Content-Type-Options: nosniff
    http-response set-header Referrer-Policy no-referrer-when-downgrade

    http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
    redirect scheme https if !{ ssl_fc }
    option httpchk HEAD / HTTP/1.1\r\nHost:\ localhost
    server brochure.staging.mydomain 10.10.11.14:80 check

# Backends api.mydomain.com, my.mydomain.com and manage.mydomain.com are identical to this one, save for the server hostname, IP and httpchk URL.

Thanks for your help! I’ve been trying to read through the release notes for all the versions but it’s very slow going.

2

Hello,

It looks like you have an issue with SSL. It doesn’t recognize any part of the config file regarding ssl.

First you have to check if SSL is enabled in your haproxy version with haproxy -vvv command. You have to find USE_OPENSSL=1 on the Option Line.

You can show us the ouput to check it with you.

:slight_smile:

3

Thanks. I didn’t realise that there features enabled as specific options! haproxy -vvv gives this output:

HA-Proxy version 1.8.30-c248dab 2021/04/12
Copyright 2000-2021 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label
  OPTIONS = USE_POLL=default

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built without PCRE or PCRE2 support (using libc's regex instead)
Built without compression support (neither USE_ZLIB nor USE_SLZ are set).
Compression algorithms supported : identity("identity")
Built with network namespace support.

Available polling systems :
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 2 (2 usable), will use poll.

Available filters :
	[SPOE] spoe
	[COMP] compression
	[TRACE] trace

I installed this version using this guide as the only version available in yum is 1.5. Do I need to rebuild it?

4

There is no SSL compiled within this version. You have to find another one.

I’m pretty sure the rpm you will find on the epel repo will have ssl.

A quick look gave me this one https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/h/haproxy18-1.8.27-1.el7.x86_64.rpm but it’s an older version

5

OK, I actually compiled it myself as I thought it would be easier to manage future updates, rather than hunting for the right RPM.

I’ve had a look at one of our other servers to see what options it had enabled - there are quite a few extras I need! Does this build command look OK?

make TARGET=linux-glibc USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1
6

I can’t see LUA in your make. You will need it if you plan to use LUA scripts. also on our server we have few more options :

OPTIONS = USE_LINUX_TPROXY=1 USE_CRYPT_H=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1

7

Thanks. I’m not familiar with some of those options. I have been running HAProxy in systemd using the script in examples/haproxy.init, but is it better to compile it with USE_SYSTEMD=1 instead of/as well as?

8

I don’t know, we use rpm from the repos. We have an old version we used to compile but not using it anymore. all have this systemd option.

9

Yes, you need that if you want to use the systemd unit file example in contrib/systemd.

10

Thanks. make fails if I include USE_SYSTEMD=1 but that’s a question for a different ticket!

Regarding the config validation errors, the other change I had to make was to change the stats config to the following:

listen haproxy3-monitoring
    bind *:8080
    mode http
# The res as before