SSL connections with non-SSL backend


#1

Hi, I’m trying to figure out if HA Proxy could be used in the way I want it to.

I have a simple REST API running on localhost:8080 and I want to use HA Proxy to add SSL support. I already have all the certificates in place and haproxy seems to run without problems. But every time I try to invoke my API over HTTPS I get a 109 error (Network unreachable) because I think it’s looking for my backend server running on port 443 but there’s no SSL there.

Here’s my config at the moment (I tried many different configurations):

global
   log /dev/log local0
   log /dev/log local1 notice
   chroot /var/lib/haproxy
   stats timeout 30s
   user haproxy
   group haproxy
   daemon
   ssl-default-bind-options no-sslv3

defaults
   log global
   mode http
   option httplog
   option dontlognull
   timeout connect 5000
   timeout client 50000
   timeout server 50000
   stats uri /haproxy?stats

frontend http_front
   mode http
   bind *:80
   bind *:443 ssl crt /etc/ssl/certs/server.bundle.pem
   default_backend http_back

backend http_back
   mode http
   option forwardfor
   redirect scheme https if !{ ssl_fc }
   server my-api 127.0.0.1:8080 check ssl verify none
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request add-header X-Forwarded-Proto https if { ssl_fc }

Any help will be much appreciated!

Cheers,
Gabriel.


#2

If the backend is not SSL enabled, don’t enable SSL on the backend. Remove “ssl verify none”, just leaving:

server my-api 127.0.0.1:8080 check


#3

Just fixed it. For those who might experience a similar problem this is what solved my problem:

  1. Re-installing HA Proxy with SSL support
make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_CRYPT_H=1 USE_LIBCRYPT=1
  1. Enabling port 443 on your firewall
sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

#4

Haproxy refuses to start with ssl configuration options, if it wasn’t build with SSL support, to avoid this kind of issue. Maybe haproxy never actually started previously?