Dear All,
Is it reasonable to use ssl on the frontend in tcp mode?
I found a configuration like this:
listen service_https
bind :443 ssl crt domain.pem
mode tcp
option tcp-check
server srv1 <backend_ip1>:3000 check inter 1s weight 1
server srv2 <backend_ip2>:3000 check inter 1s weight 1
The “mode tcp” dictates that the frontend and backend is in tcp mode, as I think in this mode the haproxy simply pass the tcp packets to the backends, and doesn’t care about the above tls/ssl protocol.
However the bind use the ssl option. The admin page shows : “cap proxy, mode:tcp”
So if the frontend use ssl option, shouldn’t the mode be in http mode?
PS: sorry for bad english
thank you
This is a valid configuration if that is what you want.
What it is doing specifically is:
Decrypt SSL on the frontend and pass cleartext, unencrypted payload to the backend.
So in other words, you’d have a client with a TCP based protocol but protected by SSL, while the server only handles cleartext unencrypted traffic.
It could be HTTPS → HTTP, but it could also another protocol with implicit SSL.
1 Like
Thank you for the answer.
So the mode and using ssl (at frontend or backend) is two independent things. If you use ssl at the frontend, then hapo will use it. If you use ssl at the backend haproxy will use it. The mode (tcp or http) always match at the two side of haproxy, and the tcp mode just a layer4 forwarding, while http mode required if you want to modify/analyze the http stream.
And that supposal that the frontend ssl won’t work in tcp mode (because tcp mode is care about layer 4 only) is completely wrong.
Thank you