hello list,
I am attempting to load balance SSL web servers using haproxy on centos 5.7.
I am using HA-Proxy version 1.4.18
Here is the stanza in the config regarding SSL:
listen https 192.168.1.200:443
mode tcp
balance roundrobin
option forwardfor except 192.168.1.200
option redispatch
maxconn 10000
reqadd X-Forwarded-Proto:\ https
server web1 web1.summitnjhome.com:443 maxconn 5000
server web2 web2.summitnjhome.com:443 maxconn 5000
I can connect to https on each web server and have it serve content. the IP
192.168.1.200 is a virtual IP created with keepalived and floating between two
load balancers.
I can connect to the virtual ip via openssl s_connect and GET / where i see the
source code for the home page
openssl s_client -connect 192.168.1.200:443
CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=NJ/L=Summit/O=SNJH/CN=*.example.com/emailAddress=bluethundr at
example.com
i:/C=US/ST=NJ/L=Summit/O=SNJH/CN=*.example.com/emailAddress=bluethundr at
example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFejCCA2ICCQCjGRFk9cQ13zANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJV
UzELMAkGA1UECBMCTkoxDzANBgNVBAcTBlN1bW1pdDENMAsGA1UEChMEU05KSDEb
MBkGA1UEAwwSKi5zdW1taXRuamhvbWUuY29tMSYwJAYJKoZIhvcNAQkBFhdibHVl
dGh1bmRyQGpva2VmaXJlLmNvbTAeFw0xMTA5MjUwMjU4NTRaFw0xMjA5MjQwMjU4
NTRaMH8xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOSjEPMA0GA1UEBxMGU3VtbWl0
MQ0wCwFAKEFDATA4Yj2LgSBwxezlE
CMmqfE0Sg0lgKe3jmyzNHCAHGrzMKVdIUW7UBI+V4wZyE08Mw3HUh13To6DzBnmp
ET+zvFk5uUnbpzk3FWYFPPxiESuIEQKmi+MzrPnM6hjKc+Caq7rBxdWvg0d8eNsN
t2+UJxTJpnucgnAtIbAktNlsbYhb4Yw9iFs1YecPqvtaS22ZsChmlDAwpQYhn88p
OK+K9qOg8bMYThe6xPaAK1sMk+YfmhSPIaT974FYSIeFeY8fFa8zIZbiUcSxOnyM
fI/xh2uMwJkpxzHBXJWQxP3LZlgghSyuzL9j/g16xLZ3BotYwTGqHzMuoDVXQijq
92YTmeSl5bPaNro1stExh4ug+zk2IqrowciZ1Ehk1vQKCl31GjLKFX1P3fhwjt0o
/lQBnIgRtBFSI9RVP41+PTPjXXVzhqlgf3h1oFJ36sOQeg8342Hu0UWFg6gpy+q/
7iyuVV0CAwEAATANBgkqhkiG9w0BAQUFAAOCAgEABdQxDHPkpQV+A1RnwGP9nGNC
1uR+MTnuuowiUIEsTkSTipSlviVHlJx8CYDkQ3kcBiPJk6SjuOT8WrFu9D7+nAr8
7SNGknoe7flxhxI0fIqeLaQIncEAliv5mzw/agj2htn7GTmhP3At+JD3e3FYCrLI
kUoom53wLzJvoSu2ixBdY9yLQePC5AYBIlI6RVyCLMPQVen0fvgI7Ecyx+vvpjvD
Cu+rnGKxplPwROlFe2NPrLrV7pnGYGNcLSkO5fF32b3XvKob+xRG+rCUvmYtHA6y
6lEOBz8prwfc6ZTum+9vpb5ONmWtSaYn7mjPR/jw55kLSZ+NggW5YH6lqL8jb8b0
kNHZKgInSFSmoMY2W7pEq4ZQ5S8m5VrruBzqXNnCJ5NmQqF8bM97k81ATZoZ+r6z
oo51BfFGJSQdnGJNDJnBnl7bf9ynSbkYV3VidRNGHm+Gr/YYP32ITihlZLTioCmk
Wt+2x0xRk5jUS+MjCn5ozYTph3PxU/wW913+HCjDzx0g4fDLYW+YbWmV4zdls/Z7
pxdYaFDR594Ov1H7E2wPZeWBmR+7kT2ZFwOXVQb0qF2Dx5Q0dbZ9TEu8rTJ7jdjD
he/odOx11Qmiau/UYd5c0Pop6dJu3NhnlromNSAKR5QlTWE4UerOOyxwV+OklsDt
8qijXOiRdqk4efqL4cs-----END CERTIFICATE-----
subject=/C=US/ST=NJ/L=Summit/O=SNJH/CN=*.example.com/emailAddress=bluethundr at
example.com
issuer=/C=US/ST=NJ/L=Summit/O=SNJH/CN=*.example.com/emailAddress=bluethundr at
example.com
---
No client certificate CA names sent
---
SSL handshake has read 2361 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 74AE373F9F177593D9CF8FFDFE2EDEB6C11958BF03E5315FC49C0641A17A6277
Session-ID-ctx:
Master-Key:
E4C07C8D40B045FB30F612966F587AC30E3859913795B22D586D598F9EB3FE5BD97F6511920793E29EA363FE9A3961DD
Key-Arg : None
Krb5 Principal: None
Start Time: 1318902076
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
<html>
<head>
<img src='Illustration.jpg'</img>
</head>
</html>
closed
For now it's just a demo page with more complex content living deeper in
the directory structure.
A port scan with nmap shows that port 443 is open...
[root at VIRTCENT02:~] #nmap -p 443 192.168.1.200
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-10-17 21:59 EDT
Interesting ports on 192.168.1.200:
PORT STATE SERVICE
443/tcp open https
And the port 443 is being listened to..
[root at VIRTCENT02:~] #lsof -i :443
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
haproxy 1763 haproxy 6u IPv4 7586 TCP VIRTUAL.example.com:https
(LISTEN)
[root at VIRTCENT01:~] #netstat -tulpn | grep 443
tcp 0 0 192.168.1.200:443 0.0.0.0:*
LISTEN 1752/haproxy
But a page will not render in a web page.
Unable to connect
Firefox can't establish a connection to the server at
virtual.example.com.
And there is no activity in the haproxy debug logs when I hit the web page at
this address which should map to that ip.
[root at VIRTCENT01:~] #host virtual.example.com
virtual.example.com has address 192.168.1.200
Thanks in advance!
tim
From: Tim Dunphy <bluethundr at jokefire.com>> I am attempting to load balance SSL web servers using haproxy on centos 5.7. > I am using HA-Proxy version 1.4.18Never used haproxy but maybe you want 'option ssl-hello-chk'... But search for "Since haproxy does not handle SSL" in their architecture (although old) doc... Anyway, you'd get more answers if you ask their mailing list... JD
On Tue, 2011-10-18 at 02:52 +0000, Tim Dunphy wrote:> hello list, > > I am attempting to load balance SSL web servers using haproxy on centos 5.7. > > I am using HA-Proxy version 1.4.18 > > > Here is the stanza in the config regarding SSL: > > listen https 192.168.1.200:443 > mode tcp > balance roundrobin > option forwardfor except 192.168.1.200 > option redispatch > maxconn 10000 > reqadd X-Forwarded-Proto:\ https > server web1 web1.summitnjhome.com:443 maxconn 5000 > server web2 web2.summitnjhome.com:443 maxconn 5000 > > I can connect to https on each web server and have it serve content. the IP 192.168.1.200 is a virtual IP created with keepalived and floating between two load balancers.> > I can connect to the virtual ip via openssl s_connect and GET / where i see the source code for the home page<<<< snip >>>>> And the port 443 is being listened to.. > > [root at VIRTCENT02:~] #lsof -i :443 > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME > haproxy 1763 haproxy 6u IPv4 7586 TCP VIRTUAL.example.com:https (LISTEN) > > [root at VIRTCENT01:~] #netstat -tulpn | grep 443 > tcp 0 0 192.168.1.200:443 0.0.0.0:* LISTEN 1752/haproxy > > > But a page will not render in a web page. > > Unable to connect > > Firefox can't establish a connection to the server at virtual.example.com. > > And there is no activity in the haproxy debug logs when I hit the web page at this address which should map to that ip. > > [root at VIRTCENT01:~] #host virtual.example.com > virtual.example.com has address 192.168.1.200 > > Thanks in advance!---- I think your setup seems mostly ok but I ended up giving up on haproxy for SSL connections for a few reasons including limitations for handling/forwarding headers & source IP addresses. I also found it easier to use nginx (or apache I suppose) to handle the first connection (terminate the SSL connection for the browser as a proxy) and to use normal http for haproxy load balancing (which then can use http mode instead of tcp mode and forward added headers) to the actual web servers. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Mon, Oct 17, 2011 at 10:52 PM, Tim Dunphy <bluethundr at jokefire.com> wrote:> hello list, > > ?I am attempting to load balance SSL web servers using haproxy on centos 5.7. > > ?I am using HA-Proxy version 1.4.18 > > ?Here is the stanza in the config regarding SSL: > > ? listen https 192.168.1.200:443 > ? ? ? ?mode tcp > ? ? ? ?balance roundrobin > ? ? ? ?option forwardfor except 192.168.1.200 > ? ? ? ?option redispatch > ? ? ? ?maxconn 10000 > ? ? ? ?reqadd X-Forwarded-Proto:\ https > ? ? ? ?server web1 web1.summitnjhome.com:443 ?maxconn 5000 > ? ? ? ?server web2 web2.summitnjhome.com:443 ?maxconn 5000 > > I can connect to https on each web server and have it serve content. the IP 192.168.1.200 is a virtual IP created with keepalived and floating between two load balancers. > > ?I can connect to the virtual ip via openssl s_connect and GET / where i see the source code for the home page > > ?For now it's just a demo page with more complex content living deeper in the directory structure. > > ?A port scan with nmap shows that port 443 is open... > > And the port 443 is being listened to.. > > ?But a page will not render in a web page. > > ? Firefox can't establish a connection to the server at virtual.example.com. > > ?And there is no activity in the haproxy debug logs when I hit the web page at this address which should map to that ip. > > ?[root at VIRTCENT01:~] #host virtual.example.com > virtual.example.com has address 192.168.1.200 > > Thanks in advance! > timYou cannot use haproxy with SSL. You need to terminate the SSL connection before reaching haproxy, such as (already mentioned) using apache as a front end proxy. Then on the backend you need to connect to the node servers using http, not SSL (using SSL there is a waste of resources anyway). HAproxy needs to be able to see the http traffic, and especially since you are using 'reqaddd' to add something into the stream. You can't do any of that using tcp mode, nor can you get any kind of session stickyness with tcp load balancing. Tcp mode is only meant for things that keep a persistent connection, not http that uses multiple non-persistent connections. -? Brian Mathis ?-