SSL passthru not working

Hi ,

I would like to have ssl -pass thru working for my env.
from my random read on internet and this side, i understand that i need to use “mode tcp” for ssl-passtru to work. on the fronend, i do lot of filtering by using ACLs , which mostly works with http mode, and i don’t want to lose this flexibility. I read from thread <(TCP with ACL possible?)> that it is possible to use http mode in front end and tcp mode in backend.

But with that i am getting error as:-
http frontend ‘web_gateway’ (/usr/local/etc/haproxy/haproxy.cfg:48) tries to use incompatible tcp backend ‘otntomcat’ (/usr/local/etc/haproxy/haproxy.cfg:166)

Can you please let me know how it (ssl-passthru) can be done without losing the http mode flexibility?

Thanks a lot.

The haproxy.cfg (shortened one…) is as below.

global
log stdout format raw local0 debug
tune.ssl.default-dh-param 2048
user otn
group otn
master-worker

defaults
mode http
log global
option http-server-close
option httplog
option dontlognull
option redispatch
option forwardfor
retries 3
backlog 4096
timeout client 200s
timeout client-fin 20s
timeout connect 5s
timeout server 100s
timeout tunnel 15m
timeout http-keep-alive 30s
timeout http-request 10s
timeout queue 5s
timeout tarpit 60s
maxconn 10000
default-server inter 3s rise 2 fall 3 init-addr last,libc,none

frontend default_ports
bind *:80 user otn group otn
option httplog
http-request add-header X-Forwarded-Proto https
http-request redirect location https://"$ipv4addr":"$port"/cas/login

frontend default_ports_443
bind *:443 user otn group otn ssl crt /usr/local/etc/haproxy/cert.crt
option tcplog
acl fault_path path_beg -i /FaultManagement
use_backend nspos_serv1 if fault_path
default_backend nspos_serv

frontend web_gateway
bind *:"$port" ssl crt /usr/local/etc/haproxy/cert.crt
http-request add-header X-Forwarded-Proto https
http-request set-query %[query,regsub(:"$port",g)]
http-request set-uri %[url,regsub(otntomcat,"$ipv4addr",g)]
redirect scheme https if !{ ssl_fc }
acl otntomcat_path path_beg -i /oms1350
acl dojoroot_path path_beg -i /dojoroot
acl p1 path_beg -i /jointroot
acl p2 path_beg -i /jquery
acl p3 path_beg -i /lodash
acl p4 path_beg -i /openlayersroot
acl p5 path_beg -i /search
acl p6 path_beg -i /svgutilsroot
acl p7 path_beg -i /d3root
acl p8 path_beg -i /backbone
acl p9 path_beg -i /Cpb
use_backend otntomcat if otntomcat_path || dojoroot_path || p1 || p2 || p3 || p4 || p5 || p6 || p7 || p8 || p9
acl cas_path path_beg -i /cas
acl session_path path_beg -i /session-manager
use_backend nspos_serv if cas_path || session_path
acl fault_path path_beg -i /FaultManagement
use_backend nspos_serv1 if fault_path
acl int_path path_beg -i /internal
use_backend nspos_serv if int_path
acl ntsm_path path_beg -i /ntsm
use_backend ntsm_serv if ntsm_path
acl systemmonitor_path path_beg -i /systemmonitor
use_backend systemmonitor_serv if systemmonitor_path
acl wso_path path_beg -i /wso
use_backend wso_serv if wso_path
acl motn_path path_beg -i /onc
use_backend motn_serv if motn_path
acl nrct_tapi_path path_beg -i /tapi
use_backend nrct_tapi_serv if nrct_tapi_path
default_backend nspos_serv

resolvers docker_nfmt-net
nameserver dns1 127.0.0.11:53

backend otntomcat
mode http
balance roundrobin
log stdout local0 debug
server serv01 otntomcat:8443 resolvers docker_nfmt-net check ssl verify none
http-response replace-header Location (.)(\botntomcat\b)(.)$ \1"ipv4addr"\3 http-response replace-header Location (.*)(\b80\b)(.*) \1"port"\3 http-response replace-header Location (.*)(\b443\b)(.*) \1"port"\3 http-response replace-header Location (.*)(\b8544\b)(.*) \1"port"\3 http-response replace-header Location (.*)(\b8545\b)(.*) \1"port"\3 http-response replace-header Location (.*)(\b8443\b)(.*) \1"$port"\3
http-response replace-header Location (.)(\b/oms1350/pages/otn\b)(.) \1:"$port"/oms1350/pages/otn\3
http-response replace-header Location (.)(\b/oms1350/login/cas\b)(.) \1:"$port"/oms1350/login/cas\3
http-request add-header X-Forwarded-Proto https if { ssl_fc }

listen stats
bind *:1974
stats enable
stats uri /

Hi @lukastribus , greetings. Can i request your attention on this issue? would like to know if it is possible to have mix mode of http in the front end and tcp in backend and still achieve ssl -passthru?
thanks
Tridev

No, this is absolutely not possible.

The point of SSL is that the content is encrypted. You will never be able to access unencrypted content without decrypting it, and SSL passthrough means that the content will not be decrypted (you’d need the SSL certificate and private key for that).

Hi @lukastribus, Thank you for your kind response.

It looks like ssl passthu is not possible without a tcp mode. correct?

If you see the server line, i am using “verify none”, that means certificate validation is ignored at HAProxy.
is it possible to initiate the ssl encyption?
“server serv01 otntomcat:8443 resolvers docker_nfmt-net check ssl verify none”
I am just using the haproxy for reverse proxying. Kindly let me know, if there is any other way to have this configured.
Thanks
Tridev

Correct, SSL passthrough means that you are not decrypting traffic, so you cannot access HTTP. This also implies that you need mode tcp, that is correct.

Do you even need SSL passthrough? It looks like what you are actually trying to do is everything BUT SSL passthrough.

Can you tell me why you dediceded to do SSL passthrough as opposed to SSL termination?

Reminder: SSL passthrough means that you DO NOT have a SSL certificate configured in haproxy, and you never use the ssl keyword.

This is SSL passthrough (no ssl keyword, no crt keyword, no certificate):

defaults
 mode tcp
frontend tcp443
 bind :443
 default_backend backend443
backend backend443
 server s1 192.168.1.5:443

This is SSL termination (actually ssl, crt keywords pointing to a certificate):

defaults
 mode http
frontend http443
 bind :443 ssl crt /path/to/certificate
 default_backend backend443
backend backend443
 server s1 192.168.1.5:443 ssl verify none