SSL haproxy to apache2

Hello everyone

I think I made a mistake in my haproxy configuration and I don’t see how to modify it without interrupting the service.

I have a haproxy configured to forward the stream to multiple apache servers in my LAN. On the haproxy I have letsencrypt which updates SSL certificates. And on Apache, I also have a running letencrypt (legacy…) . when there is a certificate update, some sites crash. So I would like to be sure that the connection is encrypted from haproxy to apache.
The haproxy refers to Apache 443. But I think I should have sent back to 08 and after on the Apaches, it goes to 443, but it wouldn’t be end-to-end encrypted. Could you tell me how to do it because I’m going in circles?

Here is my haproxy.cfg :

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

########### STATS ###############################
listen stats
    bind 192.168.0.206:8404
    stats enable
    stats uri /monitor
    stats refresh 5s
    stats auth admin:admin

########### FRONTEND ############################
frontend http-in
        bind *:80

        acl http ssl_fc,not
        http-request redirect scheme https if http

frontend https-in
        bind *:443 ssl crt-list /etc/haproxy/certs/domains_list.txt

        option forwardfor
        option forwardfor header X-Real-IP
        acl letsencrypt-acl path_beg /.well-known/acme-challenge/
        use_backend letsencrypt-back if letsencrypt-acl

####### ACL
## TEST
    acl TEST_mysite_URL hdr_dom(host) -i mysite.mysdomain
    use_backend TEST_mysite if { hdr(host) -i mysite.mysdomain }
backend TEST_mysite
    mode http
    server test 192.168.10.51:443 weight 1 maxconn 8192 check ssl verify none

and on my apache:

<VirtualHost 192.168.10.51:80>
    ServerName mysite.mydomain
    ServerAdmin tech@mysite.mydomain

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =mysite.mydomain
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
    <VirtualHost 192.168.10.51:443>
        ServerName mysite.mydomain
        ServerAdmin tech@mysite.mydomain

        ErrorLog /var/log/apache2/mysite.mydomain/error.log
        CustomLog /var/log/apache2/mysite.mydomain/access.log combined

        <Proxy *>
            Order deny,allow
            Allow from All
        </Proxy>

        DocumentRoot "/var/www/public/mysite-front"

        <Directory "/var/www/public/mysite-front">
            AllowOverride None
            Order allow,deny
            Allow from all
            RewriteEngine on
            RewriteBase /

            RewriteRule ^../index\.html$ - [L]

            RewriteCond %{REQUEST_FILENAME} !-f
            RewriteCond %{REQUEST_FILENAME} !-d
            RewriteRule (..) $1/index.html [L]

            RewriteCond %{HTTP:Accept-Language} ^fr [NC]
            RewriteRule ^$ /fr/ [R]

            RewriteCond %{HTTP:Accept-Language} ^de [NC]
            RewriteRule ^$ /de/ [R]

            RewriteCond %{HTTP:Accept-Language} !^fr [NC]
            RewriteRule ^$ /en/ [R]
        </Directory>

        # API
        ProxyPassMatch "^/v(\d)/(.*)" "http://localhost:8070/api/api-mysite.mydomain/v$1/$2"

        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/mysite.mydomain/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/mysite.mydomain/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/mysite.mydomain/fullchain.pem
    </VirtualHost>
</IfModule>

what do you mean “some sites crash”? can they be reached without haproxy? is it possible to connect to those apache sites via https?

you could do ssl termination on haproxy and then have an unencrypted connection on port 80 to apache. but, as you said there is no end-to-end encryption on the complete path - only from browser to haproxy. if you have complete control over your lan (connection from haproxy to apache) then this could be a way.

if configure apache to use ssl then the connection from browser to haproxy is encrypted, haproxy will then terminate this connection and sends it (new) encrypted to apache backend. so your setup is correct and good.

it would be good to see some logs (access and error) when you connect. are there errors on haproxy? is the apache backend up and running? do you see any error messages in apache or haproxy? any error in letsencrpt? are you sure, that the apache backend is restarted after the cert update through letsencrypt? maybe you run in an unvalid ssl cert problem?

you have setup your backend with “ssl verify none”, that means, that you will not validate the ssl certificate against any root cert. thats good and perfect as long you have controll over the apache. it will mean, that you could also use a self-signed (long running) ssl certifcate on the backend, so you still have the encryption with ssl.