Hello, I’m trying to eventually set up something similar to this, where a single frontend should only ask for client certs conditionally. However, I got a bunch of errors and it seems I’m getting errors with even more basic setups.
Here’s a minimal setup that produces the error for me:
OPNSense HAProxy plugin running on a home box
#
# Automatically generated configuration.
# Do not edit this file manually.
#
global
uid 80
gid 80
chroot /var/haproxy
daemon
stats socket /var/run/haproxy.socket group proxy mode 775 level admin
nbproc 1
nbthread 1
hard-stop-after 60s
no strict-limits
tune.ssl.default-dh-param 2048
spread-checks 2
tune.bufsize 16384
tune.lua.maxmem 0
log /var/run/log local0 info
lua-prepend-path /tmp/haproxy/lua/?.lua
defaults
log global
option redispatch -1
timeout client 30s
timeout connect 30s
timeout server 30s
retries 3
default-server init-addr last,libc
# autogenerated entries for ACLs
# autogenerated entries for config in backends/frontends
# autogenerated entries for stats
# More frontends omitted for brevity
# Frontend: test_in ()
frontend test_in
bind 0.0.0.0:443 name 0.0.0.0:443
mode tcp
default_backend homeassistant
# tuning options
timeout client 30s
# logging options
option log-separate-errors
option tcplog
# More backends omitted for brevity
# Backend: homeassistant ()
backend homeassistant
option log-health-checks
# health check: check homeassistant
option httpchk
http-check send meth GET uri / ver HTTP/1.0
mode http
balance source
# stickiness
stick-table type ip size 50k expire 30m
stick on src
# tuning options
timeout connect 30s
timeout server 30s
http-reuse safe
server homeassistant 192.168.1.123:8123 check inter 2s check-ssl verify none
Chrome gives me ERR_SSL_PROTOCOL_ERROR
and Postman gives me Error: write EPROTO 82462216:error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER:../../third_party/boringssl/src/ssl/tls_record.cc:242:
when visiting my site.
I have also tried combinations of https offloading on the frontend, and marking the backend as SSL. Only the combination of both allows me to access the homeassistant instance properly.
https offloading but no ssl
on backend gives me a 502. ssl
on backend but ssl passthrough on frontend (as shown above) gives me the same SSL proto error.
Here’s the relevant portions with the aforementioned options both enabled:
frontend test_in
bind 0.0.0.0:443 name 0.0.0.0:443 ssl crt-list /tmp/haproxy/ssl/62a6bbcf47f3b0.59102928.certlist
# rest same
backend homeassistant
# rest same
server homeassistant 192.168.1.123:8123 check inter 2s check-ssl ssl alpn h2,http/1.1 verify none verify none
I can get it working with offloading, but I’m assuming getting the SSL passthrough working is necessary for the loopback unix node setup since you mentioned that the “first three sections need to be tcp mode” when referring to the main frontend and loopback backends in the linked thread.