Hello,
We use a HAProxy loadbalancer in TCP mode with behind it a HAProxy reverse proxy in HTTP mode. (HAProxy version 2.4.22-f8e3218 2023/02/14)
–>HAProxy-LBS—>HAProxy-RPX—>webserver
After enabling the proxy-protocol between the loadbalancer and reverse-proxy we see “SSL handshake failure” errors every 2 seconds(lbs alive check…) in the HAProxy log of the reverse-proxy.
Loadbalancer backend config
backend be_<vip_name>_443
balance leastconn
mode tcp
server server1 10.0.0.1:10444 send-proxy-v2 check
server server2 10.0.0.2:10444 send-proxy-v2 check
Reverse-proxy:
bind *:10444 ssl crt <some cert.pem< ca-file <ca-bundle.crt> verify optional accept-proxy
If I disable the proxy-protocol on the LBS and RPX machines the errors don’t appear anymore.
Any suggestions how to debug this issue or any solutions?
Haproxy is supposed to use the proxy protocol for health checks as well, when it’s enabled.
However you can force it with the check-send-proxy
Thanks Lukas for your answer.
I have tried to add the option but with no success.
server node1 10.0.0.1:10444 check check-send-proxy send-proxy-v2
Then the request is not coming from LBS but somewhere else.
Maybe you have a monitoring systems that probes RPX and therefore causes this issue?
Thanks, but I only get those messages when enabling proxy protocol by adding “accept-proxy” and “send-proxy-v2”, If I remove the check keyword in the loadbalancer it also stops.
Also the source IP is from the loadbalancer.
There is not enough information in here to diagnose the issue.
If I’d need to guess and you are sure that there is nothing else involved, it possible old haproxy instances are running in the background with older configurations. Stop and kill all haproxy processes on both LBS and RBX to make sure. Compare PIDs in the logs to confirm.
Otherwise capture the offending traffic and analyse it manually, or provide full configuration and full log outputs.
Thanks Lukas.
I am very very sure the errors are generating because of the tcp-check the LBS is doing. Everything else is working. The strange thing is that I should expect this behaviour also when the proxy protocol is disabled, because of an unfinished SSL handshake, but that isn’t happening.
Hereby the configs anonymised, maybe you can find something in it:
LBS config:
global
log 127.0.0.1:514 local0
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 65536
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
tune.ssl.default-dh-param 2048
# utilize system-wide crypto-policies
#ssl-default-bind-ciphers PROFILE=SYSTEM
#ssl-default-server-ciphers PROFILE=SYSTEM
defaults
log global
mode http
option tcplog
option dontlognull
timeout connect 5000
timeout client 900s
timeout server 900s
frontend stats
bind *:8404
stats enable
stats uri /stats
stats refresh 10s
stats admin if LOCALHOST
frontend fe_vhost
mode tcp
bind 10.0.1.1:443
default_backend be_rpx
backend be_rpx
balance leastconn
mode tcp
server node1 10.0.0.1:10444 send-proxy check check-send-proxy
server node2 10.0.0.2:10444 send-proxy check check-send-proxy
RPX config anonymised:
global
log 127.0.0.1:514 local0
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
ca-base /etc/ssl/hap_ca_base/
tune.ssl.default-dh-param 2048
# utilize system-wide crypto-policies
#ssl-default-bind-ciphers PROFILE=SYSTEM
#ssl-default-server-ciphers PROFILE=SYSTEM
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 300s
timeout server 300s
maxconn 2000
errorfile 403 /etc/haproxy/errors/403.http
errorfile 404 /etc/haproxy/errors/404.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 503 /etc/haproxy/errors/503.http
frontend stats
bind *:8404
stats enable
stats uri /stats
stats refresh 10s
stats admin if LOCALHOST
frontend fe_rpx
mode http
bind *:10081 accept-proxy
bind *:10444 ssl crt /etc/ssl/hap_vhosts/cert.pem ca-file ca-bundle.crt verify optional accept-proxy
acl acl_is_ssl dst_port 10444
#Redirects
http-request redirect scheme https unless { ssl_fc }
#converts http to https in "Location" header
acl resp-is-location-hdr res.hdr(Location) -m found
acl resp-is-content-location-hdr res.hdr(Content-Location) -m found
http-response replace-header Location http://(.*) https://\1 if resp-is-location-hdr acl_is_ssl
http-response replace-header Content-Location http://(.*) https://\1 if resp-is-content-location-hdr acl_is_ssl
#Actions (HTTPS)
default_backend be_webserver
backend be_webserver
balance roundrobin
server webserver 10.0.10.1:80 check
Logs RPX:
Sep 10 20:32:06 localhost haproxy[2477679]: 10.0.0.1:39630 [10/Sep/2024:20:32:06.816] stats stats/<STATS> 0/0/0/0/0 200 2408 - - LR-- 1/1/0/0/0 0/0 "GET /stats;csv HTTP/1.1"
Sep 10 20:32:29 localhost haproxy[2477679]: 10.1.0.202:63557 [10/Sep/2024:20:32:29.133] fe_rpx~ be_rpx/<NOSRV> 0/-1/-1/-1/0 503 7714 - - SC-- 1/1/0/0/0 0/0 "GET / HTTP/1.1"
Sep 10 20:32:30 localhost haproxy[2477679]: 10.0.0.17:53966 [10/Sep/2024:20:32:30.397] fe_rpx/2: SSL handshake failure
Yeah, I’m thinking that there may be a subtle difference in how haproxy handles this situation.
You could probably upgrade the health check itself to a SSL heatlh check to workaround this, as I’m not sure if there really is a ultimate solution to the core problem.
To do this, add the keywords:
check-ssl verify none
I’d have to reproduce and check that this is really it and if newer release behave the same.
The check-ssl workaround does not appear to be effective, there are currently two options:
upgrade to a full HTTP check (proxy protocol → TLS → HTTP check)
downgrade to a TCP check without the proxy protocol
For the second workaround: we have to trick haproxy into not using proxy protocol for the health check though, as their does not seem to be a proper way. To do this, we specify the port again, which is redundant for the passing traffic but will make sure that the health check does not use the proxy protocol:
backend be_rpx
balance leastconn
mode tcp
server node1 10.0.0.1:10444 send-proxy check port 10444
server node2 10.0.0.2:10444 send-proxy check port 10444
None of this is particularly nice.
Bugs are already filed for those behaviours:
opened 12:08PM - 02 Oct 23 UTC
type: bug
status: reviewed
### Detailed Description of the Problem
I am not 100% whether this is due to … misconfiguration or if I hit a bug here. I opened a discourse post before but after some more research I decided to open this issue.
I am trying to setup HAP as a Load Balancer to our backends which are running HAP as a reverse proxy. I am running HAP 2.8.3 in docker (default image) on both servers. Due to cookies for sticky sessions I am not running in tcp mode.
So far the setup is running and working, but my backend instance is getting spammed with the following error: `loadbalancerIP:port all_frontend/3: SSL handshake failure.`. **This is guaranteed to happen if TLS 1.3 is enabled** (but also occurs but somewhat seldomly running TLS 1.2 only)
My guess is this is related to the health check because this is happening “in idle” without anyone trying to request the website and only if the load balancer is running.
`server-full.pem` file consists of (in this order): key, cert, ca2, root
`chain.pem` file consists of: ca2, root
### Expected Behavior
No Handshake failures from health checks
### Steps to Reproduce the Behavior
1. Start HAProxy Load Balancer with TLS 1.3 enabled
2. Start HAProxy Reverse Proxy with TLS 1.3 enabled
3. Wait for Handshake failure on the Reverse Proxy
### Do you have any idea what may have caused this?
TLS 1.3
### Do you have an idea how to solve the issue?
_No response_
### What is your configuration?
Cipher/Suites via `https://ssl-config.mozilla.org/#server=haproxy&version=2.8.3&config=intermediate&openssl=1.1.1n&hsts=false&ocsp=false&guideline=5.7`
LOAD BALANCER
```haproxy
global
log stdout format raw local0
log stdout format raw local1 notice
stats socket /var/lib/haproxy/admin.sock user haproxy group haproxy mode 660 level admin expose-fd listeners
stats timeout 30s
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
tune.ssl.default-dh-param 2048
ssl-dh-param-file /usr/local/etc/haproxy/dhparam2048.pem
defaults
log global
mode http
option httpslog
option dontlognull
option forwardfor
timeout connect 120s
timeout client 120s
timeout server 120s
timeout http-request 120s
errorfile 400 /usr/local/etc/haproxy/errors/400.http
errorfile 403 /usr/local/etc/haproxy/errors/403.http
errorfile 408 /usr/local/etc/haproxy/errors/408.http
errorfile 500 /usr/local/etc/haproxy/errors/500.http
errorfile 502 /usr/local/etc/haproxy/errors/502.http
errorfile 503 /usr/local/etc/haproxy/errors/503.http
errorfile 504 /usr/local/etc/haproxy/errors/504.http
userlist AuthUsers
user admin00 password REDACTED
listen admin
bind *:8090 ssl crt /etc/ssl/certs/server-full.pem
mode http
stats enable
stats uri /
stats refresh 5s
stats realm HAProxy\ Statistics
stats hide-version
http-request auth unless { http_auth(AuthUsers) }
frontend all_frontend
description Front-end for all traffic
bind *:80
bind *:443 ssl crt /etc/ssl/certs/server-full.pem
mode http
http-request set-header X-Real-IP %ci
http-request add-header X-Forwarded-Host %[req.hdr(host)]
http-response add-header X-XSS-Protection "1; mode=block"
http-response del-header X-Powered-By
http-response set-header Via "HTTP/2.0 loadbalancer.domain.net"
redirect scheme https code 301 unless { ssl_fc }
default_backend jira_nodes
backend jira_nodes
balance leastconn
server server1 server1.domain.net:8443 check ssl verify required ca-file /etc/ssl/certs/chain.pem cookie server1 send-proxy-v2-ssl
server server2 server2.domain.net:8443 check ssl verify required ca-file /etc/ssl/certs/chain.pem cookie server2 send-proxy-v2-ssl
cookie JSESSIONID prefix nocache
```
REVERSE PROXY
```haproxy
global
log stdout format raw local0
log stdout format raw local1 notice
stats socket /var/lib/haproxy/admin.sock user haproxy group haproxy mode 660 level admin expose-fd listeners
stats timeout 30s
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options prefer-client-ciphers no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
ssl-default-server-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
tune.ssl.default-dh-param 2048
ssl-dh-param-file /usr/local/etc/haproxy/dhparam2048.pem
defaults
log global
mode http
option httpslog
option dontlognull
option forwardfor
timeout connect 120s
timeout client 120s
timeout server 120s
timeout http-request 120s
errorfile 400 /usr/local/etc/haproxy/errors/400.http
errorfile 403 /usr/local/etc/haproxy/errors/403.http
errorfile 408 /usr/local/etc/haproxy/errors/408.http
errorfile 500 /usr/local/etc/haproxy/errors/500.http
errorfile 502 /usr/local/etc/haproxy/errors/502.http
errorfile 503 /usr/local/etc/haproxy/errors/503.http
errorfile 504 /usr/local/etc/haproxy/errors/504.http
default-server init-addr last,libc,none
frontend all_frontend
description Front-end for all traffic
bind *:80
bind *:443 ssl crt /etc/ssl/certs/server-full.pem
bind *:8443 ssl crt /etc/ssl/certs/server-full.pem accept-proxy
mode http
acl source_loadbalancer hdr(host) -i "loadbalancer.domain.net"
acl source_directaccess hdr(host) -i "serverX.domain.net"
http-request set-header X-Real-IP %ci
http-request add-header X-Forwarded-Host %[req.hdr(host)]
redirect scheme https code 301 unless { ssl_fc }
use_backend jira_balanced if source_loadbalancer
use_backend jira_directaccess if source_directaccess
backend jira_balanced
server jira_balanced host.docker.internal:8080 check
backend jira_directaccess
server jira_directaccess host.docker.internal:8082 check
```
### Output of `haproxy -vv`
```plain
HAProxy version 2.8.3-86e043a 2023/09/07 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.3.html
Running on: Linux 5.4.0-159-generic #176-Ubuntu SMP Mon Aug 14 12:04:20 UTC 2023 x86_64
Build options :
TARGET = linux-glibc
CPU = generic
CC = cc
CFLAGS = -O2 -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment
OPTIONS = USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_PROMEX=1 USE_PCRE2=1 USE_PCRE2_JIT=1
DEBUG = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS
Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE -LIBATOMIC +LIBCRYPT +LINUX_CAP +LINUX_SPLICE +LINUX_TPROXY +LUA +MATH -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL +PROMEX -PTHREAD_EMULATION -QUIC +RT +SHM_OPEN +SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 -SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL -ZLIB
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=2).
Built with OpenSSL version : OpenSSL 1.1.1n 15 Mar 2022
Running on OpenSSL version : OpenSSL 1.1.1n 15 Mar 2022
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.3
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with libslz for stateless compression.
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.36 2020-12-04
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 10.2.1 20210110
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG
fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
<default> : mode=HTTP side=FE|BE mux=H1 flags=HTX
h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
<default> : mode=TCP side=FE|BE mux=PASS flags=
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
Available services : prometheus-exporter
Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
```
### Last Outputs and Backtraces
```plain
Sep 26 10:22:30 serverX container/haproxy[93551]: loadbalancer:57912 [26/Sep/2023:10:22:30.481] all_frontend/3 1/1 34/ 0000000000000000/0/0/0 -/TLSv1.3/TLS_AES_128_GCM_SHA256
```
### Additional Information
_No response_
opened 04:23PM - 21 Mar 24 UTC
type: bug
subsystem: ssl
status: future fix
### Detailed Description of the Problem
I have two servers running HAProxy on… each. HAProxy is configured to do TLS between the two servers. Servers have addresses 172.21.6.3 and 172.21.6.4. In the example below 172.21.6.4 is the client and 172.21.6.3 is the server.
I can use `openssl s_client` to connect from one to the other. This works fine and I can make a request through it, not shown below as it's quite verbose.
```
openssl s_client -connect 172.21.6.3:1982 crt /path/to/cert.pem -tls1_2
```
However my logs show this sort of thing regularly (every few seconds or so):
```
Mar 21 15:02:28 localhost.localdomain haproxy[914]: 172.21.6.4:14396 [21/Mar/2024:15:02:28.275] my_proxy/1: SSL handshake failure
```
Given I can make connections between the two servers manually, I believe my configuration is valid.
The attached pcap file shows the handshake it's complaining about, which does not look broken to me. Please rename as a pcap before opening in wireshark (I renamed it due to GitHub restrictions). Also showing screenshot for easy reference.
[haproxy.txt](https://github.com/haproxy/haproxy/files/14704169/haproxy.txt)
### Expected Behavior
No handshake errors in logs.
### Steps to Reproduce the Behavior
Hopefully described by the config section.
1. Configure HAProxy on two servers in the way described.
2. Observe the output in logs.
### Do you have any idea what may have caused this?
No. In the same configuration on 1.5.18 I did not see these errors. Best guess is that haproxy checks are completing a handshake and tearing it down on one side; and the other think the RST sent is an error so reports it.
### Do you have an idea how to solve the issue?
None, beyond live with the errors in logs.
### What is your configuration?
On the server side:
```haproxy
frontend my_proxy
bind 172.21.6.3:1982 ssl crt /path/to/cert.pem ca-file /path/to/ca.crt verify required ssl-max-ver TLSv1.2
default_backend my_backend
```
And on the client side:
```haproxy
backend remote_server
server remote_server:172.21.6.3 172.21.6.3:1982 check check-ssl ssl crt /path/to/cert.pem verify none ssl-max-ver TLSv1.2
```
### Output of `haproxy -vv`
```plain
HAProxy version 2.4.17-9f97155 2022/05/13 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2026.
Known bugs: http://www.haproxy.org/bugs/bugs-2.4.17.html
Running on: Linux 5.14.0-284.48.1.msw.2.el9_2.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Feb 6 12:47:45 GMT 2024 x86_64
Build options :
TARGET = linux-glibc
CPU = generic
CC = cc
CFLAGS = -O2 -g -Wall -Wextra -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
OPTIONS = USE_PCRE2=1 USE_LINUX_TPROXY=1 USE_CRYPT_H=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_SLZ=1 USE_SYSTEMD=1 USE_PROMEX=1
DEBUG =
Feature list : +EPOLL -KQUEUE +NETFILTER -PCRE -PCRE_JIT +PCRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +BACKTRACE -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -CLOSEFROM -ZLIB +SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL -PROCCTL +THREAD_DUMP -EVPORTS -OT -QUIC +PROMEX -MEMORY_PROFILING
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : OpenSSL 3.0.7 1 Nov 2022
Running on OpenSSL version : OpenSSL 3.0.7 1 Nov 2022
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.4.4
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with libslz for stateless compression.
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.40 2022-04-14
PCRE2 library supports JIT : no (USE_PCRE2_JIT not set)
Encrypted password support via crypt(3): yes
Built with gcc compiler version 11.3.1 20221121 (Red Hat 11.3.1-4)
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|CLEAN_ABRT|HOL_RISK|NO_UPG
fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
<default> : mode=HTTP side=FE|BE mux=H1 flags=HTX
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
<default> : mode=TCP side=FE|BE mux=PASS flags=
Available services : prometheus-exporter
Available filters :
[SPOE] spoe
[CACHE] cache
[FCGI] fcgi-app
[COMP] compression
[TRACE] trace
```
### Last Outputs and Backtraces
_No response_
### Additional Information
_No response_
Thanks Lukas for your time and support!
I have implemented the second workaround and this solved the issue.
1 Like
I want you to know that we don’t see this behaviour on HA-Proxy version 1.8.27-493ce0b 2020/11/06…
It stilll there just different (1.8.27-493ce0b):
Connection error during SSL handshake
instead of:
SSL handshake failure