I’m testing a site with haprox 2.8 as FE and tomcat9 as the BE.
Nov 29 12:04:06 mail haproxy[59727]: ::ffff:82.181.2.33:57607 [29/Nov/2023:12:04:06.096] http-in http-in/<NOSRV> 472/-1/-1/-1/472 301 81 - - LR-- 2/2/0/0/0 0/0 "GET / HTTP/1.1"
When doing a
telnet 82.181.2.33 80
GET / HTTP/1.1
I’m getting nothing, but the above is logged.
The 301 comes from this in my haproxy.cfg:
# Redirect if HTTPS is *not* used
redirect scheme https code 301 if !{ ssl_fc }
Can you share the config please?
I suspect it’s just not selecting the backend because it’s being redirected in the frontend before whatever use_backend directive you have. Does a TLS connection work as expected…?
You can test with something like: openssl s_client -connect 82.181.2.33:443
Here’s the config /etc/haproxy/haproxy.cfg:
global
log /dev/log local0
log /dev/log local1 debug
chroot /var/lib/haproxy
stats socket /var/run/haproxy/admin.sock level admin mode 660
setenv ACCOUNT_THUMBPRINT 'xxxxxxxxxxxxxxxxxxxxxx'
stats timeout 30s
maxconn 4000
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/apache2/certs
crt-base /etc/ssl/apache2/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-dh-param-file /etc/haproxy/dhparams.pem
ssl-default-bind-options no-sslv3
ssl-skip-self-issued-ca
defaults
log global
# log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
compression algo gzip
compression type text/html text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy application/atom+xml application/javascript application/x-javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest
balance roundrobin
# option dontlog-normal
# option dontlognull
option httpclose
option forwardfor
frontend http-in
# bind *:80
bind :::80 v4v6
# bind *:443 ssl crt /etc/haproxy/certs/www.myserver.org.pem
bind :::443 v4v6 ssl crt /etc/haproxy/certs/www.myserver.org.pem
bind quic4@0.0.0.0:443 name quic443 ssl crt /etc/haproxy/certs/www.myserver.org.pem proto quic alpn h3,h3-29,h3-28,h3-27 npn h3,h3-29,h3-28,h3-27 allow-0rtt curves secp521r1:secp384r1
http-response add-header alt-svc 'h3=":443"; ma=7200,h3-29=":443"; ma=7200,h3-Q050=":443"; ma=7200,h3-Q046=":443"; ma=7200,h3-Q043=":443"; ma=7200,quic=":443"; ma=7200'
http-request return status 200 content-type text/plain lf-string "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-known/acme-challenge/' }
# Redirect if HTTPS is *not* used
redirect scheme https code 301 if !{ ssl_fc }
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl
default_backend website
log /dev/log local2 debug
acl is_static path_beg /export/ /opencms/ /resources/ /javadoc/ /VAADIN/ /workplace /opencms-login/
# acl is_static path_beg /willi
acl is_website hdr_beg(host) -i www.myserver.org
acl is_cmssite hdr_beg(host) -i cms.myserver.org
use_backend website-static if is_website is_static
use_backend website if is_website
use_backend cmssite if is_cmssite
backend letsencrypt-backend
server letsencrypt 127.0.0.1:8888
backend website-static
server www.myserver.org 127.0.0.1:8080
backend website
# http-request replace-header Destination ^([^\ :]*)\ /(.*) \1\ /opencms/\2
# http-request set-path /opencms%[path]
server www.myserver.org 127.0.0.1:8080
backend cmssite
# http-request replace-header Destination ^([^\ :]*)\ /(.*) \1\ /opencms/\2
# http-request set-path /opencms%[path]
server cms.myserver.org 127.0.0.1:8082
EDIT: Sorry, I goofed. Gave the wrong address in the openssl request. The TLS Handshake seems to work.
It starts like this:
$ openssl s_client -connect xx.xx.xx.xx:443
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
verify return:1
depth=1 C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA
verify return:1
depth=0 CN = www.myserver.org
verify return:1
---
Certificate chain
0 s:CN = www.myserver.org
i:C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
v:NotBefore: Nov 14 00:00:00 2023 GMT; NotAfter: Feb 12 23:59:59 2024 GMT
1 s:C = AT, O = ZeroSSL, CN = ZeroSSL RSA Domain Secure Site CA
i:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
v:NotBefore: Jan 30 00:00:00 2020 GMT; NotAfter: Jan 29 23:59:59 2030 GMT
2 s:C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
i:C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA384
v:NotBefore: Mar 12 00:00:00 2019 GMT; NotAfter: Dec 31 23:59:59 2028 GMT
---
certificates follow…
And at the end:
---
read R BLOCK
HTTP/1.1 408 Request Time-out
Content-length: 110
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>408 Request Time-out</h1>
Your browser didn't send a complete request in time.
</body></html>
closed