I think/hope I am trying to do something relatively simple:
- I have one HAProxy (2.1) running on
- I have a service which speaks http2 (with SSL), running on
My goal is to route traffic via the HAProxy to my service/backend. If this was HTTP 1.1, I would call it SSL passthrough. The service itself, sets up certs, etc… It’s a third party agent written in Golang. There’s no Let’s Encrypt or anything. The certificates are self-signed, hence
-k in my
curl examples below.
Here is my HAProxy configuration:
global daemon maxconn 256 log-send-hostname defaults mode tcp option http-use-htx timeout connect 5000ms timeout client 50000ms timeout server 50000ms frontend h2-in bind *:8181 mode tcp default_backend servers backend servers server agent 127.0.0.1:9001 check
(Stats report the backend to be available.)
When I access the service via HAProxy, I get the following error:
❯ curl -k -v --tlsv1.2 https://127.0.0.1:8181/ping * Trying 127.0.0.1:8181... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 8181 (#0) * ALPN, offering http/1.1 * WARNING: disabling hostname validation also disables SNI. * Server aborted the SSL handshake * Closing connection 0 curl: (35) Server aborted the SSL handshake
When I access the service directly via curl, it responds (204):
❯ curl -k -v --tlsv1.2 https://127.0.0.1:9001/ping * Trying 127.0.0.1:9001... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 9001 (#0) * ALPN, offering http/1.1 * WARNING: disabling hostname validation also disables SNI. * TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 * Server certificate: X509 Certificate > GET /ping HTTP/1.1 > Host: 127.0.0.1:9001 > User-Agent: curl/7.68.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 204 No Content < Date: Mon, 01 Jun 2020 13:41:52 GMT < * Connection #0 to host 127.0.0.1 left intact
Can anyone take a look at my configuration and tell me what I am doing wrong?