SSL Backend on Custom Port Causes 503 Error

Help!
1

hi
I want to send my ssl traffic to an ssl server on non 443 port and it causes
503 Service Unavailable
No server is available to handle this request.

But If use same port on backend server for non-ssl traffic proxy works fine
also If I use 443 port on backend sever for ssl traffic still works fine
If I change config to SSL passthrough on same server and same port works fine
But ssl backend on custom port causes 503 error
It’s my haproxy.conf :

global
        chroot /var/lib/haproxy

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # https://ssl-config.mozilla.org/#server=haproxy&version=2.0.3&config=intermediate&openssl=1.1.1k&guideline=5.6
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA>
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

        ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHAC>
        ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

        # Disable SSL Certificate Validation
        ssl-server-verify none

        tune.ssl.default-dh-param 2048
        # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/haproxy/dhparam.pem
        ssl-dh-param-file /etc/haproxy/dhparam.pem

defaults
        log global
        mode http
        option dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000

frontend Listen443
        bind *:443 ssl crt /root/************/fullchainwkey.pem
        mode http
        timeout client 60s
        option http-server-close
        option forwardfor except 127.0.0.0/8
        http-request add-header X-Forwarded-Proto https
        http-request add-header X-Forwarded-Port 443
        # HSTS (63072000 seconds)
        http-response add-header Strict-Transport-Security max-age=63072000
        
        default_backend vp12

backend vp12
        timeout connect 10s
        timeout server 10s
        server ***.*********.*** ###.###.###.###:440 ssl verify none

I am sure that backend port is open and accessible from frontend server; just removing “ssl verify none” shows up server error that “You’re speaking plain HTTP to an SSL-enabled server port” so I am sure backend sever is accessible from frontend server
I can telnet to ###.###.###.###:440 (for ensuring that port 440 is open)
###.###.###.###:440 is accessible with browser
I also tried removing “http-request add-header X-Forwarded-Port 443” from frontend and add “http-request add-header X-Forwarded-Port 440” to backend but still not working

Sorry for bad english

2

It was a silly mistake
I should have use
" http-request set-header X-Forwarded-Port 440"
instead of
" http-request add-header X-Forwarded-Port 443"
in short term
add-header → set-header
probebly using it at the backend is a better idea

thanks

3

Make sure that you are listening on the port on the frontend

bind *:440 …

Also specify the same port on the backend

When you restart haproxy check netstat -na to make sure you are listening on port 440 (all servers) Where are you doing the SSL handshake at the frontend or the backend, you could get by with passthrough and keep the SSL handshake on the backend server, currently you are doing the handshake on the haproxy frontend