Hello. I’m rather new to HA Proxy, and I’m having issues getting SSL Passthrough working. I have narrowed my configuration to demonstrate the issue (redacted):
`# frontend specific configuration
frontend http-in
mode tcp
#bind *:443 ssl crt /etc/haproxy/certs
bind *:443
no option httpclose
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
# define a default backend
default_backend servers
backend specific configuration
backend servers
mode tcp
option log-health-checks
balance leastconn
# define health check using HTTP OPTIONS call
option httpchk OPTIONS / HTTP/1.1
server svr1 1.2.3.4:18082 check ssl verify required verifyhost example1.com ca-file /etc/haproxy/backend-trust-ca/backend-trust-ca.pem
#server svr1 1.2.3.4:18082`
Testing with curl, I get an error:
$ curl -I https://example.com/ curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol $
The backend check works, as I see this in the logs:
[WARNING] 077/095549 (25563) : Health check for server servers/svr1 succeeded, reason: Layer7 check passed, code: 200, info: "OK", check duration: 3ms, status: 3/3 UP.
And I can see in the status page that it shows as active up too.
I can get it to work if I change the binding on the front end to do ssl (see it commented out above). But if I understand things properly, that will decrypt the SSL, instead of simply passing the tcp connection on to the back end. And I can also get it to work if I remove the check from the back end (see it commented out above). But I really need to be able to do these checks to make sure that the backend servers are healthy. When I make one of those changes, with curl I get:
ssa-syr-taz:~$ curl -I https://example.com/ HTTP/1.1 405 Method Not Allowed [snip]
It almost seems like either of those changes puts haproxy into http mode. In fact, it works if I configure haproxy to use http mode. But I do not want to decrypt the session in haproxy.
Running haproxy in debug mode does not seem to show a difference between a curl connection that works and one that does not.
00000003:http-in.accept(0007)=000d from [1.2.3.10:54194] ALPN=<none> 00000003:servers.srvcls[adfd:adfd] 00000003:servers.clicls[adfd:adfd] 00000003:servers.closed[adfd:adfd]
A packet capture of the failure shows haproxy resetting the connection:
11:06:32.875119 IP 1.2.3.10.54244 > 1.2.3.7.443: Flags [S], seq 2513995732, win 29200, options [mss 1460,sackOK,TS val 788408339 ecr 0,nop,wscale 7], length 0 11:06:32.875154 IP 1.2.3.7.443 > 1.2.3.10.54244: Flags [R.], seq 0, ack 2513995733, win 0, length 0
I’m running version 2.0.13.
‘haproxy -v
HA-Proxy version 2.0.13-1~bpo10+1 2020/02/15 - https://haproxy.org/’
I suspect either I’m trying to do something that is not supported, or I have something misconfigured. Any help of things to try or ways to get additional logs / debugging would be great. Thank you!