Dear HAProxy community,
I get an strange problem with my TCP Proxy config.
My healthceck works and the backend servers is online at the HAProxy stats page.
But I get this error at my webbrowser “SSL_ERROR_RX_RECORD_TOO_LONG”
If I remove “ssl verify none” and the “httpchk” the TCP Proxy works fine and the website goes online.
My Problem now, I need to check the backend with the http status and need the TCP Proxy (proprietary backend…)
frontend ft_webapp_tcp
bind *:443 name https
default_backend bk_webapp_tcp
backend bk_webapp_tcp
mode tcp
balance roundrobin
option httpchk GET /webapp/check.html
http-check expect status 200
server web1 192.168.10.104:443 maxconn 10000 check ssl verify none
server web2 192.168.10.105:443 maxconn 10000 check ssl verify none
Wirehsark Response
(ClientIP) -> (HAProxy IP) -> TLSv1 -> Client Hello
(HAProxy IP) -> (ClientIP) -> HTTP -> HTTP/1.1 400 Bad Request (text/html)
does one have an idea?
HA-Proxy version 1.8.8-1ubuntu0.2 2018/10/02
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fdebug-prefix-map=/build/haproxy-1p70ey/haproxy-1.8.8=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_NS=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with OpenSSL version : OpenSSL 1.1.0g 2 Nov 2017
Running on OpenSSL version : OpenSSL 1.1.0g 2 Nov 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[SPOE] spoe
[COMP] compression
[TRACE] trace
best regards,
the_Uli