SSL termination, listening but not working

Alex_loo · July 11, 2017, 5:26am

Hi to community. Want to ask some help, but we are faced with a simple problem, i hope.
HaProxy must Implement SSL termination and turn http to https, and stands between Nginx and the World.

The problem:
HAProxy returns to the World:

503 Service Unavailable
No server is available to handle this request.

But the backend is working and returns all pages correctly.

My software: nginx 1.11.7
HA-Proxy 1.7.2

config:

global
log /path/to/log local0 #(inside of chroot dir)
log /path/to/log local1 debug #(inside of chroot dir)
chroot /chroot/dir
stats socket /path/to/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group www
daemon

    ca-base /path/to/certs/dir
    crt-base /path/to/certs/dir

    ssl-default-bind-ciphers  EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3D
    ssl-default-bind-options no-sslv3 no-tlsv10
    tune.ssl.default-dh-param 4096

defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend www-https
bind public_IP:80
bind public_IP:443 ssl crt /usr/local/etc/nginx/ssl/shandycraft/haproxy.pem
acl secure dst_port eq 443
redirect scheme https if !{ ssl_fc }
# rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload
rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
default_backend www-backend

backend www-backend
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server www-backend unix@/path/to/haproxy.sock maxconn 32 #(inside of chroot dir)
# server www-backend backend_IP - the simular result

NGINX listening haproxy.sock socket, and socket has a correct permissions, readable & writeable for user and group

And haproxy listens the corresponding ports:
…
haproxy haproxy 1997 5 tcp4 public_IP:80
haproxy haproxy 1997 6 tcp4 public_IP:443
…

The answer of server :

HTTP status 503 Service Unavailable
Answer time 143 мs
IP public_IP
Encoding UTF-8(unicode-1-1-utf-8, UTF8)
Page size 106 Б

Cache-Control: no-cache
Connection: close
Content-Type: text/html

This request Log:

Note: setting global.maxconn to 2000.
Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use kqueue.

Available filters :
[SPOE] spoe
[TRACE] trace
[COMP] compression
Using kqueue() as the polling mechanism.

00000000:www-https.accept(0006)=0009 from [93.158.152.108:61226]
00000000:www-https.clireq[0009:ffffffff]: GET /robots.txt HTTP/1.1
00000000:www-https.clihdr[0009:ffffffff]: Host: mydomain.com
00000000:www-https.clihdr[0009:ffffffff]: Connection: Keep-Alive
00000000:www-https.clihdr[0009:ffffffff]: user-agent: Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)
00000000:www-https.clihdr[0009:ffffffff]: from: support@search.yandex.ru
00000000:www-https.clihdr[0009:ffffffff]: Accept-Encoding: gzip,deflate
00000000:www-https.clihdr[0009:ffffffff]: Accept-Language: ru, uk;q=0.8, be;q=0.8, en;q=0.7, ;q=0.01
00000000:www-https.clihdr[0009:ffffffff]: Accept: /
00000000:www-backend.clicls[0009:000a]
00000000:www-backend.closed[0009:000a]
00000001:www-https.accept(0006)=0009 from [141.8.184.104:52667]
00000002:www-https.accept(0006)=000a from [141.8.184.109:37854]
00000001:www-https.clireq[0009:ffffffff]: GET / HTTP/1.1
00000001:www-https.clihdr[0009:ffffffff]: Host: mydomain.com
00000001:www-https.clihdr[0009:ffffffff]: Connection: Keep-Alive
00000001:www-https.clihdr[0009:ffffffff]: user-agent: Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)
00000001:www-https.clihdr[0009:ffffffff]: from: support@search.yandex.ru
00000001:www-https.clihdr[0009:ffffffff]: Accept-Encoding: gzip,deflate
00000001:www-https.clihdr[0009:ffffffff]: Accept-Language: ru, uk;q=0.8, be;q=0.8, en;q=0.7, ;q=0.01
00000001:www-https.clihdr[0009:ffffffff]: Accept: /
00000001:www-backend.clicls[0009:000b]
00000001:www-backend.closed[0009:000b]

I just in a deadlock, my brain does not working at all today …

willy · July 11, 2017, 5:50am

You should check your logs, but at first glance what is happening is that nobody is listening for incoming connections on your unix socket at /path/to/haproxy.sock. I suspect the logs will report “sC” flags confirming a failure to connect to the server.

I guess you expected your nginx to listen there, you should double-check that you’re using the correct path. And you can even check by hand using “ls -l” that this socket really exists.

Topic		Replies	Views
SSL offloading not working for website that is reverting to HTTP Help!	1	918	July 20, 2019
SSL termination does not work correctly (v2.0.8) Help!	3	1684	November 13, 2019
<NOSRV> issue with TLS termination Help!	7	3509	October 21, 2020
Need SSL termination with HA proxy Help!	1	500	April 15, 2019
Apache Creating Non HTTPS Link When Using SSL Termination Help!	2	1707	September 14, 2018

SSL termination, listening but not working

config:

backend www-backend http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } server www-backend unix@/path/to/haproxy.sock maxconn 32 #(inside of chroot dir) # server www-backend backend_IP - the simular result

This request Log:

Related topics

backend www-backend
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server www-backend unix@/path/to/haproxy.sock maxconn 32 #(inside of chroot dir)
# server www-backend backend_IP - the simular result