Trying to forward HTTPS from 443 to 1433 in TCP mode

Hello!

I have two servers (192.168.0.101/2) running two web servers (via containers), one of them listening on port 443 and the other on 1443.

I set up HAproxy on TCP mode and each web server is serving its own certificates.

Postman → https://a.domain.com/ → HAPROXY:443 → SRV1/2:443 works

Postman → https://b.domain.com/ → HAPROXY:443 → SRV1/2:1443 doesn’t work, and Postman gives me a “Client network socket disconnected before secure TLS connection was established”.

If I change the port from 1443 to 443 (and stopping the other container), it works without an issue.

Here’s my config file:

global
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    stats socket /var/lib/haproxy/stats

    ssl-default-bind-ciphers PROFILE=SYSTEM
    ssl-default-server-ciphers PROFILE=SYSTEM

defaults
    log                     global
    option                  httplog
    option                  dontlognull
    option                  http-server-close
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

frontend https
    mode                    tcp
    option                  tcplog
    bind                    192.168.0.100:443

    tcp-request             inspect-delay 3s
    tcp-request             content accept if { req_ssl_hello_type 1 }

    acl                     SRV_A req.ssl_sni -i a.domain.com
    acl                     SRV_B req.ssl_sni -i b.domain.com

    use_backend             A_HTTPS if SRV_A
    use_backend             B_HTTPS if SRV_B

backend A_HTTPS
    mode                    tcp
    balance                 source
    timeout tunnel          600s
    stick-table             type ip  size 1m  expire 15m
    stick                   on src

    server                  SRV01.domain.com 192.168.0.101:443 check inter 1s fall 1 rise 2
    server                  SRV02.domain.com 192.168.0.102:443 check inter 1s fall 1 rise 2
    
backend B_HTTPS
    mode                    tcp
    balance                 source
    timeout tunnel          600s
    stick-table             type ip  size 1m  expire 15m
    stick                   on src

    server                  SRV01.domain.com 192.168.0.101:1443 check inter 1s fall 1 rise 2
    server                  SRV02.domain.com 192.168.0.102:1443 check inter 1s fall 1 rise 2

Any idea what could be the issue?

Thanks a lot!

You need open port 1433 on the server firewall and make appropriate docker port forwardings.

Thanks for the reply. I already have the docker forwarding and the servers firewall configuration done.

For a brief moment, it worked from one of the HAproxy servers but not from the other, but then it stopped working too.

Doing some tests, I am able to connect from any HAproxy server to the web server on 1443, via curl and telnet. But when trying to pass through HAproxy, I don’t get any connection on the destination server (via iptraf)

Then you need to check haproxy logs or capture the 1433 traffic and analyzing it in wireshark.

Finally fixed it. It was SELINUX blocking HAproxy from creating connections on strange ports.