haproxy ssl keeps failing - apache

I have haproxy setup in a 6 server node web application setup. 2 front end servers. 2 web servers. 2 database servers.
I recently added ssl certificates and redirection for all the sites running on the servers. We run Drupal multiside setup. So each site has its own apache config and conf file on the web servers.
The setup seems to work but what happens is SSL redirection fails after a certain amount of time (usually 1 few hours) and I have to keep restarting haproxy to fix it. I suspect either its a setup issues with my haproxy or I am going about this the wrong way.
Below is my haproxy config file with accounts and ip's munged.
Anyone able to give me any suggestions on what I am doing wrong?
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults
mode tcp
log global
option httplog
option dontlognull
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend web-front *:80
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js
option abortonclose
option http-keep-alive
default_backend web
frontend web-front-ssl *:443
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js
option abortonclose
option http-keep-alive
default_backend web-ssl
listen stats *:9000
maxconn 500
mode http
log global
stats enable
stats refresh 30s
stats hide-version
stats show-node
stats uri /stats
stats auth ******:*******
backend web
balance roundrobin
stick-table type ip size 1m expire 1h
stick on src
server web01 10.10.10.17:80 check maxconn 1000
server web02 10.10.10.18:80 check maxconn 1000
option abortonclose
option http-keep-alive
backend web-ssl
balance roundrobin
stick-table type ip size 1m expire 1h
stick on src
server web01 10.10.10.17:443 check maxconn 1000
server web02 10.10.10.18:443 check maxconn 1000
option abortonclose
option http-keep-alive

It is not clear what you mean by "ssl redirection fails", but since you are saying that this happens after 1 hour, then this is probably about the "expire 1h" in your configuration.
Try to adjust that parameter accordingly.

Related

Unable to load backend servers URL via haproxy

when we hit https://abc.domain.com/global its able to reach the backend server but the page keeps on loading. direct links to backend servers work and able to telnet to the servers as well. for ex https://srv1:8180/D2 and https://srv2:8180/D2 works
Could anyone please suggest what is missing? this is my first handson on haproxy. Selinux is disabled. haproxy server on redhat 7.9 and haproxy version 1.7.1
Below is the configuration file
defaults
mode http
log global
option httplog
#option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 10m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
stats auth *:*
frontend https-in
mode http
bind *:443 ssl crt /etc/pki/tls/private/haproxy.pem
# redirect scheme https if !{ ssl_fc }
acl test_host hdr(host) -i abc.domain.com
acl d2nsh path_beg -i /global
use_backend testd2nsh if test_host d2nsh
frontend http-in
bind *:80
mode http
option httplog
##
acl test_host hdr(host) -i abc.domain.com
##
acl d2nsh path_beg -i /global
##
##
backend testd2nsh
mode http
balance roundrobin
option httpclose
option forwardfor
cookie JSESSIONID prefix nocache
reqrep ^([^\ :]*)\ /global/(.*) \1\ /D2/\2
server srv1_8180 srv1:8180 ssl verify none check cookie s1
server srv1_8190 srv1:8190 ssl verify none check cookie s2
server srv2_8180 srv2:8180 ssl verify none check cookie s3
server srv2_8190 srv2:8190 ssl verify none check cookie s4
##
Which version of HAProxy do your use?
haproxy -vv
Just a wild guess but on the srv*:8180 does not exist the /global URL and your get a redirect to https://srv*:8180/D2
If this is the case then try to set the path in the backend.
http-request set-path
backend testd2nsh
# other configs
http-request set-path /D2
# rest of the config
Some of servers and applications can be configured to know that they run behind a reverse Proxy and adopt the redirects like the tomcat

How to configure HAProxy to "proxy" two domain names to different ports in localhost

I have one server containing FE app and BE for it. FE listens port 80 and BE is deployed to Tomcat listening default port 8080. HAProxy is used to listen port 443 / handle ssl. Proxying to FE / port 80 works fine, but not to BE / Tomcat listening port 8080. Here's the configuration I'm using:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
maxconn 3072
tune.ssl.default-dh-param 2048
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/ssl.key
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httpchk
option httplog
option dontlognull
option forwardfor
option http-server-close
option http-keep-alive
option abortonclose
option redispatch
retries 3
maxconn 3072
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen stats
bind 0.0.0.0:9000
mode http
frontend http-in
bind *:443 ssl crt /etc/ssl/private/bundle.pem
http-request set-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https if !{ ssl_fc }
# Define hosts
acl host_fe hdr(host) -i fe.domain.com
acl host_be hdr(host) -i be.domain.com
## figure out which one to use
use_backend fecluster if host_fe
use_backend becluster if host_be
backend fecluster
balance leastconn
option httpclose
option forwardfor
server node1 localhost:80 cookie A check
backend becluster
mode http
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https if !{ ssl_fc }
server node1 localhost:8080 maxconn 32 check inter 5000
cookie node1
Tomcat works fine using ip address directly, so that's not the case. So help is needed for the host_be / becluster.

HAProxy with Multiple SSL Chooses Wrong Certificate

I have a problem where sometimes HaProxy chooses the wrong SSL certificate. The scenario is this, I have 3 domains:
domain1.com
domain2.com
domain3.com
Each domain goes to the same backend, all ssl termination happens on the load balancer. Also each domain has it owns pem file in the designated pem folder.
Sometimes domain2.com will try to use domain1.com certificate, and same for the other domains. A simple refresh fixes it but it shouldn't be. Here is my config:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 10048
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option forwardfor
option http-server-close
option httplog
option dontlognull
timeout connect 5000
timeout client 2000000
timeout server 2000000
frontend http_front
bind *:80
stats uri /haproxy?stats
reqadd X-Forwarded-Proto:\ http
default_backend http_back
frontend www-https
bind *:443 ssl crt /etc/ssl/pems/ #All PEMs here, in seperate files
reqadd X-Forwarded-Proto:\ https
default_backend http_back
backend http_back
redirect scheme https if !{ ssl_fc }
balance roundrobin
server sprout1 x.x.x.x.:80 check
What am I missing in my config?

SSL with Haproxy dont shows CSS

I have a Problem with my HaProxy
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 2048
tune.ssl.default-dh-param 2048
# Default SSL material locations
#ca-base /etc/haprorxy/certs/ca_bundle.crt
#crt-base /etc/haproxy/certs/certificate.crt
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
#ssl-default-bind-options no-sslv3
defaults
log global
mode tcp
option httplog
option dontlognull
option forwardfor
option http-server-close
retries 3
option redispatch
timeout connect 5s
timeout client 5s
timeout server 5s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http_front
bind *:80
reqadd X-Forwarded-Proto:\ http
stats uri /haproxy?stats
default_backend wp7.xxxx.com
stats auth admin:test
frontend https_front
mode tcp
bind *:443 ssl crt /etc/haproxy/certs/wp7.xxxxx.com.pem
reqadd X-Forwarded-Proto:\ https
default_backend wp7.xxxxxxx.com
stats uri /haproxy?stats
stats auth admin:test
backend wp7.xxxx.com
redirect scheme https if !{ ssl_fc }
option httpclose
option forwardfor
balance roundrobin
server Backend Backend_IP:80 check
#server rproxy02 xx.xx.xxx.xx:443 check
But the Website doesn`t look like how it should on https: https://www.pic-upload.de/view-32841877/Untitled.png.html
This is how it should look like: https://www.pic-upload.de/view-32841910/Untitled.png.html
The Website should run a Wordpress installation. When I go through port 80 (http) everything is ok, but If I go through Port 443 (https like on the picture), it looks like in the Picture.
Can someone help or have an idea?
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
try these lines in frontend
https://serversforhackers.com/c/using-ssl-certificates-with-haproxy
Got same issue and resolved by this link. Hope this could help.

haproxy reverse proxy directing randomly

The reverse proxy of mydomain.com is working, but the subdomain fela.mydomain.com seems to be randomly picking between 172.17.0.59:8080 and 172.17.0.50:8080.
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 10000
timeout server 10000
listen stats
# Uncomment "disabeled" below to disable the stats page :
# disabled
bind :1988
stats uri /
frontend http-in
bind *:80
# Define hosts
acl host_fela hdr(host) -i fela.mydomain.com
acl host_mydomain hdr(host) -i mydomain.com
## figure out which one to use
use_backend mydomain_cluster if host_mydomain
use_backend fela_cluster if host_fela
backend mydomain_cluster
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server node1 172.17.0.50:8080 cookie A check
backend fela_cluster
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server node1 172.17.0.59:8080 cookie A check
If your intention is to strictly forward all the traffic targeted at fela.mydomain.com to 172.17.0.59:8080 use a different name for that cookie.
server node1 172.17.0.59:8080 cookie B check