HAProxy community

SSL Passthrough Not Working

Hello. I’m rather new to HA Proxy, and I’m having issues getting SSL Passthrough working. I have narrowed my configuration to demonstrate the issue (redacted):

`# frontend specific configuration
frontend http-in
mode tcp

    #bind *:443 ssl crt /etc/haproxy/certs
    bind *:443
    no option httpclose
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    # define a default backend
    default_backend servers

backend specific configuration

backend servers
mode tcp
option log-health-checks
balance leastconn

    # define health check using HTTP OPTIONS call
    option httpchk OPTIONS / HTTP/1.1

    server svr1 1.2.3.4:18082 check ssl verify required verifyhost example1.com ca-file /etc/haproxy/backend-trust-ca/backend-trust-ca.pem
    #server svr1 1.2.3.4:18082`

Testing with curl, I get an error:

$ curl -I https://example.com/ curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol $

The backend check works, as I see this in the logs:

[WARNING] 077/095549 (25563) : Health check for server servers/svr1 succeeded, reason: Layer7 check passed, code: 200, info: "OK", check duration: 3ms, status: 3/3 UP.

And I can see in the status page that it shows as active up too.

I can get it to work if I change the binding on the front end to do ssl (see it commented out above). But if I understand things properly, that will decrypt the SSL, instead of simply passing the tcp connection on to the back end. And I can also get it to work if I remove the check from the back end (see it commented out above). But I really need to be able to do these checks to make sure that the backend servers are healthy. When I make one of those changes, with curl I get:

ssa-syr-taz:~$ curl -I https://example.com/ HTTP/1.1 405 Method Not Allowed [snip]

It almost seems like either of those changes puts haproxy into http mode. In fact, it works if I configure haproxy to use http mode. But I do not want to decrypt the session in haproxy.

Running haproxy in debug mode does not seem to show a difference between a curl connection that works and one that does not.

00000003:http-in.accept(0007)=000d from [1.2.3.10:54194] ALPN=<none> 00000003:servers.srvcls[adfd:adfd] 00000003:servers.clicls[adfd:adfd] 00000003:servers.closed[adfd:adfd]

A packet capture of the failure shows haproxy resetting the connection:

11:06:32.875119 IP 1.2.3.10.54244 > 1.2.3.7.443: Flags [S], seq 2513995732, win 29200, options [mss 1460,sackOK,TS val 788408339 ecr 0,nop,wscale 7], length 0 11:06:32.875154 IP 1.2.3.7.443 > 1.2.3.10.54244: Flags [R.], seq 0, ack 2513995733, win 0, length 0

I’m running version 2.0.13.

‘haproxy -v
HA-Proxy version 2.0.13-1~bpo10+1 2020/02/15 - https://haproxy.org/

I suspect either I’m trying to do something that is not supported, or I have something misconfigured. Any help of things to try or ways to get additional logs / debugging would be great. Thank you!

You already have a working configuration (no ssl keyword on bind line, no ssl keyword on the server line), the only thing that is missing is the health check.

And you can force an SSL health-check despite not using SSL for the rest by using the check-ssl keyword.

So your configuration would look like this (abbreviated):

frontend http-in
 mode tcp
 bind *:443
 default_backend servers

backend servers
 mode tcp
 option log-health-checks
 balance leastconn
 # define health check using HTTP OPTIONS call
 option httpchk OPTIONS / HTTP/1.1
 server svr1 1.2.3.4:18082 check check-ssl verify required verifyhost example1.com ca-file /etc/haprox/backend-trust-ca/backend-trust-ca.pem

Make sure ssl is only mentioned in the check-ssl keyword and nowhere else and make sure you don’t mix up check ssl with check-ssl.

That did the trick. Thank you!!!