TCP Proxy faild after enable httpchk

Dear HAProxy community,

I get an strange problem with my TCP Proxy config.
My healthceck works and the backend servers is online at the HAProxy stats page.

But I get this error at my webbrowser “SSL_ERROR_RX_RECORD_TOO_LONG”
If I remove “ssl verify none” and the “httpchk” the TCP Proxy works fine and the website goes online.

My Problem now, I need to check the backend with the http status and need the TCP Proxy (proprietary backend…)

frontend ft_webapp_tcp
bind *:443 name https
default_backend bk_webapp_tcp

backend bk_webapp_tcp
mode tcp
balance roundrobin
option httpchk GET /webapp/check.html
http-check expect status 200

server web1 192.168.10.104:443 maxconn 10000 check ssl verify none
server web2 192.168.10.105:443 maxconn 10000 check ssl verify none

Wirehsark Response
(ClientIP) -> (HAProxy IP) -> TLSv1 -> Client Hello
(HAProxy IP) -> (ClientIP) -> HTTP -> HTTP/1.1 400 Bad Request (text/html)

does one have an idea?

HA-Proxy version 1.8.8-1ubuntu0.2 2018/10/02
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>

    Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -g -O2 -fdebug-prefix-map=/build/haproxy-1p70ey/haproxy-1.8.8=. -fstack-protector-strong     -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1     USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_NS=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
  
Built with OpenSSL version : OpenSSL 1.1.0g  2 Nov 2017
Running on OpenSSL version : OpenSSL 1.1.0g  2 Nov 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

    Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [SPOE] spoe
        [COMP] compression
        [TRACE] trace

best regards,
the_Uli

When you add the ssl keyword to your server configuration, you enable SSL termination here, which is not compatible with the rest of your configuration (as you need to pass port 443 through transparently).

Use check-ssl instead of ssl to only insert a SSL layer for health-checks.

OK, I change “check ssl” to “check-ssl” and the webpage is online.
But the health check says “status: no check” =/

edit: ok now it works =)
server cas1 192.168.10.104:443 maxconn 10000 check-ssl check verify none

1 Like