Unable to start domain with https - ssl

I am working on haproxy. I want to make my site open with http. I have purchased ssl certificate and install on the server.
In ha.cfg I have configured as follow :
global
tune.bufsize 32786
tune.maxrewrite 16384
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 8192
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
balance roundrobin
stats enable
stats refresh
stats uri /ssproxy_stats
stats realm Haproxy\ Statistics
stats auth haproxy:haproxy
maxconn 4000
contimeout 5000
clitimeout 50000
srvtimeout 50000
frontend http
bind *:80
acl hari path_beg /customers
acl css path_beg /assets
reqadd X-Forwarded-Proto:\ http
use_backend appointpress_app if hari
use_backend appointpress_app if css
default_backend appointpress_site
frontend https
bind *:443 ssl crt /etc/ssl/ssl.key/mydomain.crt
default_backend appointpress_site
backend appointpress_app :80
stats enable
stats auth haproxy:haproxy
cookie SERVERID insert
option httpclose
option forwardfor
server app_server ec2-elastic-domain:80 cookie haproxy_app check
backend appointpress_site :80
stats enable
stats auth haproxy:haproxy
cookie SERVERID insert
option httpclose
option forwardfor
server wordpress someip:443 cookie haproxy_site check
After running the command haproxy -f ha.cfg I am getting no error,
and when I am running url http://ec2-instance, its working fine
but while running https://ec2-instance,
I am getting error :
in chrome : Error code: ERR_SSL_PROTOCOL_ERROR
in firefox : Error code: ssl_error_rx_record_too_long
How to resolve the error

Check to make sure that your EC2 security rules allow port 443 to your running instance. A simple way to test this is to use telnet from your client:
telnet ec2-instance 443

Related

Enable stats uri page in HAProxy tcp mode

Below is my haxproxy configuration. I am trying to enable stats page so that I can see the status of the servers. But after validating the file, getting a warning message as below and stats page is not shown after hitting the configured uri.
'stats' statement ignored for frontend 'http-in' as it requires HTTP mode
I am using haproxy version 1.8.x.
global
log /dev/log local0
log /dev/log local1 notice
user haproxy
group haproxy
daemon
defaults
log global
mode tcp
option tcplog
timeout connect 120s
timeout client 300s
timeout server 180s
frontend http-in
bind *:443
stats enable
stats refresh 10s
stats uri /haproxy?stats
default_backend servers
backend servers
balance roundrobin
server sec-server1 192.68.29.230:8080 check
server sec-server2 192.68.29.229:8080 check
Please assist. can we not see the stats page in tcp mode?
Add the below things and try
global
global
# turn on stats unix socket
stats socket /var/lib/haproxy/stats mode 666 level admin
server-state-file /var/lib/haproxy/haproxy.state
defaults
defaults
default-server init-addr last,libc,none
load-server-state-from-file global
frontend
frontend http-in
bind *:443
option http-server-close
option forwardfor
http-request add-header X-Forwarded-Proto https
http-request add-header X-Forwarded-Port 1443
default_backend servers
stats uri /hap?_stats
stats auth haadm:username#pwd
stats hide-version
stats show-node

HAProxy stuck on ssl websocket (parse livequery)

My use-case is use HAProxy as ssl termination on Parse Server & Parse LiveQuery. I'm stuck on haproxy config because it can't connect websocket properly, and it's work only when connect to local (no ssl termination). Tested on iOS (react native app).
This is my haproxy config
global
maxconn 50000
log 127.0.0.1 local0
user haproxy
chroot /usr/share/haproxy
pidfile /run/haproxy.pid
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3
daemon
defaults
log global
retries 3
mode http
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
stats auth xx:xx
option forwardfor
option http-server-close
option httplog
option dontlognull
frontend xxx_web
bind *:443 ssl crt /etc/haproxy/certs/xxx.com.pem
acl host_api_xxx hdr(host) -i api.xxx.com
acl is_websocket hdr(Upgrade) -i websocket
reqadd X-Forwarded-Port:\ 443
reqadd X-Forwarded-Proto:\ https
reqadd X-Forwarded-Scheme:\ https
redirect scheme https if !{ ssl_fc }
use_backend ws_xxx if is_websocket
use_backend api_xxx if host_api_xxx
backend ws_xxx
server ws_xxx 127.0.0.1:7777 check
backend api_xxx
balance roundrobin
reqadd X-Forwarded-Port:\ 443
reqadd X-Forwarded-Proto:\ https
reqadd X-Forwarded-Scheme:\ https
server api_xxx 127.0.0.1:7777 check # ssl verify none
Changing the mode to "mode tcp" should help.

HAproxy times out(504 error) with large POST bodies

I have 3 nodejs web-servers spun on an ubuntu box and HAproxy to load-balance those servers on the same box. HAproxy listens at port 80(http) and 443(https, with SSL termination). There's no SSL between the HAproxy server and the web-servers.
The POST call to one of the api without SSL, passes through with any value of content-length, but when I try to do the POST call with a content-length greater than 8055 on the HAproxy with SSL connection(port443), HAproxy times out giving a 504 Gateway Timeout error.
Also, if I give an "Expect:100 continue" header to the curl command, the server responds with some delay, which I don't want to exist. Below is how the HAproxy config file looks like:
global
stats socket /var/run/haproxy.sock mode 0777
log 127.0.0.1 local0 info
log 127.0.0.1 local1 info
chroot /usr/share/haproxy
uid nobody
gid nobody
nbproc 1
daemon
maxconn 50000
frontend localnodes:https
bind *:443 ssl crt /etc/ssl/private/443_private_ssl_in.pem no-sslv3
mode http
reqadd X-Forwarded-Proto:\ https
default_backend nodes
timeout client 30000
frontend localnodes-http
bind *:80
mode http
reqadd X-Forwarded-Proto:\ http
default_backend nodes
timeout client 30000
backend nodes
mode http
balance roundrobin
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
log global
timeout connect 3000
timeout server 30000
option httplog
option ssl-hello-chk
option httpchk GET /
http-check expect status 404
server nodejsweb01 127.0.0.1:8000 check
server nodejsweb02 127.0.0.1:8001 check
server nodejsweb03 127.0.0.1:8002 check
I have ensured that the nodejs web-servers behind have no problem, they work fine. I have tried increasing the 'timeout server' period, no effect.
Also tried a solution on this link that tells to give an option ssl ca-file to the backend nodes, as follows:
server nodejsweb01 127.0.0.1:8000 ssl ca-file /etc/ssl/certs/ca.pem check
server nodejsweb02 127.0.0.1:8001 ssl ca-file /etc/ssl/certs/ca.pem check
server nodejsweb03 127.0.0.1:8002 ssl ca-file /etc/ssl/certs/ca.pem check
but after this option HAproxy throws an error saying no servers available at the backend.
Please tell me what am I doing wrong in HAproxy conf file, so that I make the webservers respond successfully with the SSL connection
Try this minimum config:
frontend localnodes
bind *:80
bind *:443 ssl crt /etc/ssl/private/443_private_ssl_in.pem
mode http
default_backend nodes
backend nodes
mode http
option forwardfor
option httplog
server nodejsweb01 127.0.0.1:8000 check
server nodejsweb02 127.0.0.1:8001 check
server nodejsweb03 127.0.0.1:8002 check
I suspect it's those additional options.
It could also be the SSL cert file. Is your PEM file created from a self-signed cert? How is it structured?

HAProxy using 100% CPU 200 concurrent connections

I've recently started to load test my app and found that HAProxy for some reason is not able to handle a lot of concurrent connections.
Im only using HAProxy to load balance my SSL traffic, for non-ssl (99% of my traffic is ssl) i use nginx.
I have tested my setup on blitz.io and when sending traffic to non-ssl (200 concurrent) i get no timeouts or errors. However when doing the same test over SSL (which HAProxy handles) i immediately get 100% CPU and requests are timing out.
This leads me to believe there is something wrong in my HAProxy config.
Below is my config, any ideas what could be wrong?
Oh and i am running this on a medium EC2 CPU optimized instance
My haproxy.cfg:
global
maxconn 400000
ulimit-n 800019
nbproc 1
debug
daemon
log 127.0.0.1 local0 notice
defaults
mode http
option httplog
log global
stats enable
stats refresh 60s
stats uri /stats
maxconn 32768
frontend secured
timeout client 86400000
mode http
timeout client 120s
option httpclose
#option forceclose
option forwardfor
bind 0.0.0.0:443 ssl crt /etc/nginx/ssl/ssl-bundle.pem
acl is_sockjs path_beg /echo /broadcast /close # SockJS
acl is_express path_beg /probe /loadHistory /activity # Express
use_backend www_express if is_express
use_backend sockjs if is_sockjs
default_backend www_nginx
backend tcp_socket
mode http
server server1 xx.xx.xx.xx:8080 check port 8080
backend www_express
mode http
option forwardfor #this sets X-Forwarded-For
timeout server 30000
timeout connect 4000
server server1 xx.xx.xx.xx:8008 weight 1 maxconn 32768 check
backend sockjs
mode http
option forwardfor #this sets X-Forwarded-For
timeout server 30000
timeout connect 4000
server server1 xx.xx.xx.xx:8081 weight 1 maxconn 32768 check
backend www_nginx
mode http
option forwardfor #this sets X-Forwarded-For
timeout server 30000
timeout connect 4000
server server1 localhost:80 weight 1 maxconn 8024 check
listen stats :8181
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth helloxx:xx

HAProxy wildcard SSL backend forward issue

I am using HAProxy 1.5-dev21. I have purchased a wildcard SSL (for example: *.foo.com).
I want all traffic from Internet port 443 will redirect to internal network according the domain name, backend servers are many web server running HTTP (for example: abc.foo.com:443 -> 192.168.10.10:80 , edf.foo.com:443 -> 192.168.10.11:80)
However, whatever the incoming domain name, HAProxy passed all traffic to default backend.
My config is working well if I not using SSL
The following is my simplified config file:
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 4096
defaults
log global
mode http
option tcplog
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend https-in
mode tcp
bind :443 ssl crt /etc/haproxy/foo.com.pem
use_backend abc if { hdr_end(host) -i abc.foo.com }
use_backend def if { hdr_end(host) -i def.foo.com }
default_backend application-backend
backend abc
mode tcp
server Server1 192.168.10.10:80
backend def
mode tcp
server Server2 192.168.10.11:80
backend application-backend
mode tcp
server server3 192.168.10.12:80
You're using tcp mode while trying to access HTTP content.
Please turn on 'mode http' and it should work.
Baptiste
When you have of SSL, you can't use hdr_end. Here is how i do it:
frontend domain.com
bind 10.50.81.131:443 ssl crt domain.com ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
bind 10.50.81.131:80
mode http
maxconn 300
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
use_backend first_farm if { ssl_fc_sni sub1.domain.com }
use_backend second_farm if { ssl_fc_sni sub2.domain.com }
default_backend default_farm