I trying to setup a HTTPS frontend with ACL to HTTPS backends for Ubuntu and RHEL private repositories at our company.
When doing so I get TLS errors on the browsers (NET::ERR_CERT_INVALID)
and when doing apt update I get :
gnutls_handshake() failed: The TLS connection was non-properly terminated.
When I do HTTP frontend and ACL to HTTPS backend it works well. Server config - The commented parts are the things I tried:
global
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers
Yes it was commented out.
When I run:
haproxy -f /etc/haproxy/haproxy.cfg -V -d
All I see is :
00000004:linuxrepos.accept(0008)=0009 from [X.X.X.X:54353]
00000004:linuxrepos.clicls[0009:ffffffff]
00000004:linuxrepos.closed[0009:ffffffff]
00000005:linuxrepos.accept(0008)=0009 from [X.X.X.X:54648]
00000005:linuxrepos.clicls[0009:ffffffff]
00000005:linuxrepos.closed[0009:ffffffff]
What happens when you access the backend directly with HTTPS (not HTTP)?
You said it worked with HTTP on the frontend, that is, port 80 (HTTP) in the frontend with the very same backend configuration as you have here, is that correct?
When I access the back-ends directly everything works OK, green lock on the browser.
When the front-end is HTTP (in my case i tested it on port 443 because this is what was open on the corporate FW), The configuration works well just without the first SSL connection to the front-end.
I am on version 1.6.3 which is the one in the Ubuntu repository.
Ok, reconfigure with SSL on port 443 and post the output of: openssl s_client -connect X.X.X.X:443
Also:
provide the output of haproxy -vv
provide the real SSL configuration you are using (the config above with an empty “ssl-default-bind-ciphers” directive doesn’t even start, so that is not the actual configuration you are using)