i f we install haproxy with yum install, the ssl can’t be enabled, right ?
it will helpful to provide a official installation guide for haproxy installation with ssl enabled.

thanks.

The packages in OS repositories do usually have SSL enabled.

Would you like to share what OS and OS version you are using so that we can answer your question with certainty?

thanks for your info. we are using centos 7.7. after we used yum to install haproxy, the version of haproxy is 1.5.18.

$ rpm -qa|grep haproxy
haproxy-1.5.18-9.el7.x86_64

$ rpm -qa|grep ssl
openssl-libs-1.0.2k-19.el7.x86_64
openssl-1.0.2k-19.el7.x86_64

Thanks in advance.

Then haproxy will be SSL enabled and you don’t have to do anything manually.

do you mean i don’t need do a compile installation for haproxy ? what i need is just to configure

1. .pem file
2. haproxy.cfg

Right ?

Thanks,

Yes, exactly.

thanks you so much.
Happy Thanksgiving Day .

can you help to have a look at my configuration ?

0. i can use haproxy (ip is 10.99.22.13) to visit
   http://10.99.22.13/sabrix to visit any backend server .

1) then, i have used self-signed sll to https my backend website
i can visit the below backend website successfully.

 https://10.99.22.253/sabrix or https://tst1.tst.com/sabrix
     https://10.99.22.14/sabrix  or https://tst2.tst.com/sabrix	                				  

2) i created /etc/haproxy/ssl/tst.pem on the proxy server(10.99.22.13).
3) based the working-properly configuratin for http, i edited the configuration for https

global
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4096
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
tune.ssl.default-dh-param 2048

defaults
option forwardfor
log global
option httplog
log 127.0.0.1 local3
option dontlognull
retries 2
option redispatch
mode http
timeout connect 5s
timeout client 5s
timeout server 5s

listen stats
bind *:9000
mode http
stats enable
stats hide-version
stats uri /stats
stats refresh 30s
stats realm Haproxy\ Statistics
stats auth admin:admin

frontend TST
bind :80
bind *:443 ssl crt /etc/haproxy/ssl/tst.pem
redirect scheme https if !{ ssl_fc }
log global
option httpclose
acl sabrix_web path_beg -i /sabrix
use_backend sabrix_web if sabrix_web
capture request header User-Agent len 128
capture request header X-Forwarded-For len 100
capture response header Server len 40
capture response header Server-ID len 40
log-format %rt\ %ci:%cp\ %bi\ %f\ %b\ %si:%sp\ %ST\ %r\

backend sabrix_web
balance source
server sabrix1 10.99.22.253:443 check cookie sabrix1
server sabrix2 10.99.22.14:443 check cookie sabrix2

4. when i visit https://10.99.22.13/sabrix .

from the log:

2020-12-02T17:04:30+08:00 localhost haproxy[11989]: [02/Dec/2020:17:04:30.545] : SSL handshake failure
2020-12-02T17:04:30+08:00 localhost haproxy[11989]: [02/Dec/2020:17:04:30.544] : SSL handshake failure
2020-12-02T17:04:30+08:00 localhost haproxy[11989]: sabrix_web 10.99.22.14:443 502 GET /sabrix/ HTTP/1.1
2020-12-02T17:04:30+08:00 localhost haproxy[11989]: [02/Dec/2020:17:04:30.688] : SSL handshake failure
2020-12-02T17:04:30+08:00 localhost haproxy[11989]: 503 GET /favicon.ico HTTP/1.1
2020-12-02T17:12:01+08:00 localhost haproxy[11989]: SSL handshake failure
2020-12-02T17:12:01+08:00 localhost haproxy[11989]: TST/2: SSL handshake failure
2020-12-02T17:12:01+08:00 localhost haproxy[11989]: sabrix_web 10.99.202.14:443 502 GET /sabrix/ HTTP/1.1
2020-12-02T17:12:01+08:00 localhost haproxy[11989]: TST/2: SSL handshake failure
2020-12-02T17:12:01+08:00 localhost haproxy[11989]: TST -:- 503 GET /favicon.ico HTTP/1.1

3 possibilities…

1. use no self-signed cert
2. add your self-signed cert/ca-cert to the trusted ca store (e.g. /etc/ssl/certs)
3. disable cert verification (verify none on the server lines) which enables possibility for MITM-attacks

1. use no self-signed cert
   --- i used openssl command to create .csr and .key and combine a .csr file, then combine a .pem file, what do you mean for " no self-signed cert " ? do you mean to buy a business/rechargable ssl ??

2. add your self-signed cert/ca-cert to the trusted ca store (e.g. /etc/ssl/certs)

   I use os command to copy cert/ca-cert to the trusted ca store , is it enough ? do i need to do some change in haproxy.cfg to let haproxy detect the cert/ca-cert ?

3. disable cert verification (verify none on the server lines) which enables possibility for MITM-attacks

   Yes, just as you say, the website will be successful visited after i disable cert verification , but it was not safe , hence it was the last option.

Hi,

yes, I was thinking about using a cert provided by an already trusted CA. Or using an own CA, which might also be more practical in production environments, instead of the self-signed certs. You only need to update with one root-ca-cert instead of individual certs for each server.

It depends on the openssl config where it looks up the trusted certs. But in the “certs” path you normally need the hashes of the certs as filename.
Look here https://www.openssl.org/docs/man1.0.2/man1/c_rehash.html

You can check the openssl part with the command:
openssl s_client -connect <address_domain>:<port> </dev/null
and if verify works
openssl s_client -verify 2 -connect <address_domain>:<port> </dev/null

There is also the haproxy server option ca-file to specify it separately.

• verify
• ca-file

when use -connect , it shows " error:num=19 " , does it mean i have to buy commercial trusted CA ?

openssl s_client -connect 10.99.22.100:443

CONNECTED(00000003)
depth=2 US = TSTSHA2ROOTCA
verify error:num=19:self signed certificate in certificate chain

Certificate chain
0 s:/C=US/O=TST/US=sabrixbjpre1.test.com
i:/DC=com/DC=test/US=testSHA2SUBCA1
1 s:/DC=com/DC=test/US=testSHA2SUBCA1
i:/US=TSTSHA2ROOTCA
2 s:/US=TSTSHA2ROOTCA
i:/US=TSTSHA2ROOTCA

Server certificate
-----BEGIN CERTIFICATE-----
MIIGPjCCBSagAwIBAgITTQAg+sbZigRPOQJ9bQAAACD6xjANBgkqhkiG9w0BAQsF

cLoayDZ11Rem1H4OXlFGtOsa
-----END CERTIFICATE-----
subject=/C=US/O=TST/US=sabrixpre1.test.com
issuer=/DC=com/DC=test/US=testSHA2SUBCA1

No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 5086 bytes and written 415 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 5FC8B85FA3A97C844FAC82D393878A113301C72FB7BC29B1F5CC8
Session-ID-ctx:
Master-Key: CAA6D80E44A9C9E07F7F3C33DE5961CFAC4C1BD8951F33A4E98B768DAEA9581D1294577C56
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1606989948
Timeout : 300 (sec)
Verify return code: 19 (self signed certificate in certificate chain)

#openssl s_client -verify 10.99.22.100:443
verify depth is 10
socket: Bad file descriptor
connect:errno=9

No, you don’t have to buy. But then you wouldn’t have to configure anything.

It looks like there is something wrong with your cert…
I don’t know of a subject attribute /US= - this should be /CN=, I think.
It is the short for common name and it is the entry used for hostname validation.

You also can’t connect the IP address if there is no alternate subject name in the cert.
How this is done depends on the openssl version you use. Here are the different possibilities… I’ve linked to the comment with an up-to-date openssl version https://security.stackexchange.com/a/198409

If you’d like to add the IP address as alternate name you need to use something like
-addext 'subjectAltName=IP:10.99.22.100'.

If this is fixed you have to recheck if your ROOTCA cert is already trusted or there is something wrong in how you installed it.

If you need more assistance, can you then post the output of
ls -la $(openssl version -d | cut -d'"' -f 2)
please. To get here some more readable formatting of console output you can use 3 backticks ``` on the start line and again at the line after the “code”.

To verify the correct command would be

openssl s_client -verify 2 -connect 10.99.22.100:443

very thanks for your reply.
yes, the root cause is configuration in my .pem file ( root ca and inter ca was not included in it ). when i re-edit it, ssl handshare failure was disappeared in the haproxy logs.
but i still got 502 /503 failure when i visit *http://10.99.22.13/sabrix.
the chrome shows :

502 Bad Gateway
The server returned an invalid or incomplete response.

from the haproxy logs
sabrix_web 10.99.22.100:443 502 GET /sabrix/ HTTP/1.1
****** -:- 503 GET /favicon.ico HTTP/1.1

but if i add "ssl check-ssl verify none" to the backend server, error will disappreared.
server sabrix1 10.99.22.100:443 ssl check-ssl verify none

Your acl does only match path /sabrix.
For /favicon there is no backend configured.

Has haproxy disabled the /sabrix backend before?
Are you sure you are waiting long enough that haproxy detects the /sabrix backend is available?
The checks and retries can be configured.

yes, my acl does only match path /sabrix because i just want export /sabrix. there is no /favicon to be published .
i although think /favicon error can be ignored because the error still was recorded when i append ssl check-ssl verify none to haproxy.cfg and the visit was successful . just like this.
/////////////////////////////////////////////////////////////////////////////////////////////////////////
2020-12-06T12:14:57+08:00 localhost haproxy[24866]: 10.99.22.218:443 200 GET /sabrix/ HTTP/1.1
2020-12-06T12:14:58+08:00 localhost haproxy[24866]: 10.99.22.218:443 200 GET /sabrix/JavaScriptServlet HTTP/1.1
2020-12-06T12:14:58+08:00 localhost haproxy[24866]: 10.99.22.218:443 200 POST /sabrix/JavaScriptServlet HTTP/1.1
2020-12-06T12:15:10+08:00 localhost haproxy[24866]: 10.99.22.218:443 200 GET /sabrix/ HTTP/1.1
2020-12-06T12:15:10+08:00 localhost haproxy[24866]: GET /favicon.ico HTTP/1.1
2020-12-06T12:15:20+08:00 localhost haproxy[24866]: 503 GET /favicon.ico HTTP/1.1
2020-12-06T12:16:12+08:00 localhost haproxy[24866]: 10.99.22.218:443 200 GET /sabrix/ HTTP/1.1
2020-12-06T12:16:12+08:00 localhost haproxy[24866]: 10.99.22.218:443 200 GET /sabrix/JavaScriptServlet HTTP/1.1
2020-12-06T12:16:12+08:00 localhost haproxy[24866]: 10.99.22.218:443 200 POST /sabrix/JavaScriptServlet HTTP/1.1
2020-12-06T12:16:18+08:00 localhost haproxy[24866]: 503 GET /favicon.ico HTTP/1.1
/////////////////////////////////////////////////////////////////////////////////////////////////////////
but when i edit retries from 1 to 3 , 503 error can be disapeared ( with "ssl check-ssl verify none ) .

if without ssl check-ssl verify none , retries doesn’t work.

i also checked favicon elements in explorer with clicking F12, it just a icon in the default page just like https://***.tst.com/sabrix/favicon.ico

haproxy didn’t disabled the /sabrix backend before.
The issue still exists after i tried many times and it can be reproduced even i wait for long enough.