Really new to setting up HAproxy and definitely going through some growing pains here.
I’m accessing my website directly. I’m using pfsense 2.4.4 with haproxy (version 1.8.23) plugin.
I have valid Let’s Encrypt Certificates installed with pfsense for my domain.
I’m trying to use HAProxy simply as a reverse proxy with SSL termination for backend apache web server (only running on port 80).
I’m receiving errors when trying to access the site directly my IP address:
Firefox: An error occurred during a connection to 69.xxx.xxx.xxx. SSL received a record that exceeded the maximum permissible length.
Error code: SSL_ERROR_RX_RECORD_TOO_LONG
Chrome: ERR_SSL_PROTOCOL_ERROR
Here is my HAproxy config file:
# Automaticaly generated, dont edit manually.
# Generated on: 2020-01-21 10:32
global
maxconn 1000
stats socket /tmp/haproxy.socket level admin expose-fd listeners
gid 80
nbproc 1
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
log-send-hostname url.com-HA
server-state-file /tmp/haproxy_server_state
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000
frontend shared-frontend-WAN-and-LAN-merged
bind 69.xxx.xxx.xxx:443 name 69.xxx.xxx.xxx:443 ssl crt-list /var/etc/haproxy/shared-frontend-WAN-and-LAN.crt_list
bind 10.0.1.1:443 name 10.0.1.1:443 ssl crt-list /var/etc/haproxy/shared-frontend-WAN-and-LAN.crt_list
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl ACL1 var(txn.txnhost) -m str -i url.com
acl ACL2 var(txn.txnhost) -m str -i www.url.com
http-request set-var(txn.txnhost) hdr(host)
use_backend url.com_ipv4 if ACL1
use_backend url.com_ipv4 if ACL2
frontend http-to-https
bind 69.xxx.xxx.xxx:80 name 69.xxx.xxx.xxx:80
mode http
log global
option http-keep-alive
timeout client 30000
redirect scheme https code 301 if !{ ssl_fc }
backend url.com_ipv4
mode http
id 10102
log global
option log-health-checks
timeout connect 30000
timeout server 30000
retries 3
source ipv4@ usesrc clientip
option httpchk OPTIONS /
server url.com 10.0.1.158:80 id 10103 check inter 100
I generated the ssl-default-bind-ciphers/options, ssl-default-server-ciphers/options using the Mozilla SSL generator: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.1&config=intermediate
Thanks for any advice.