Haproxy error 400 with option ssl-hello-chk

apache-2.2haproxy

I am getting 400 bad request error under apache ssl logs on real hosts when using haproxy option ssl-hello-chk. My setup uses haproxy as a load balancer to handle ssl requests and pass it on to the reals. AFAIK "ssl-hello-chk" in haproxy sends ssl hello mesg to the hosts to make sure hosts are available. this is better than the normal tcp only check. Any idea why its logging 400 error when hello messages should not be logged at all. Also not sure if it is working correctly?

Thanks,
Tevez G

Best Answer

You can increase the apache loglevel to get more information about the HAPROXY hello request.

To see what happens you could use curl and switch on verbose messages:

curl -k -v https://real-https-apache.com

Curl should inform you about the different processess including client-hello and server-hello.

Then also check apache logs

This is how such a curl request looks like:

$ curl -k -v https://graph.facebook.com
* About to connect() to graph.facebook.com port 443 (#0)
*   Trying 66.220.146.100... connected
* Connected to graph.facebook.com (66.220.146.100) port 443 (#0)
* error setting certificate verify locations, continuing anyway:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* SSLv2, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
*        subject: /C=US/ST=California/L=Palo Alto/O=Facebook, Inc./CN=*.facebook.com
*        start date: 2010-01-13 00:00:00 GMT
*        expire date: 2013-04-11 23:59:59 GMT
*        common name: *.facebook.com (matched)
*        issuer: /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance CA-3
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> User-Agent: curl/7.18.0 (i486-pc-linux-gnu) libcurl/7.18.0 OpenSSL/0.9.8g zlib/1.2.3.3 libidn/1.1
> Host: graph.facebook.com
> Accept: */*
> 
< HTTP/1.1 302 Found
< Cache-Control: private, no-cache, no-store, must-revalidate
< Expires: Sat, 01 Jan 2000 00:00:00 GMT
< Location: http://developers.facebook.com/docs/api
< Pragma: no-cache
< X-FB-Rev: 575092
< Content-Type: text/html; charset=utf-8
< X-FB-Debug: sYq1u5Ffp1JE7p5IafErxiU6MNT6i1fXCEkn51nFxr8=
< Date: Mon, 18 Jun 2012 10:49:17 GMT
< Connection: keep-alive
< Content-Length: 0
< 
* Connection #0 to host graph.facebook.com left intact
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):

Related Solutions

Ssl – HAProxy not passing SSL traffic in TCP mode (unknown protocol)

I've solved it!

You must have 'mode tcp' in both the frontend and backend ugh

frontend https-c-in
   bind 178.79.xxx.xxx:443
   mode tcp
   default_backend c-https

backend c-https
   balance source
   mode tcp
   option ssl-hello-chk
   server  c-web-01 192.168.xxx.xxx:443 check inter 2000 rise 2 fall 5

Nginx with Passenger behind HAProxy causes 503 errors

From the HAProxy configuration guide you need to increase the maxconn parameter on your server declaration.

When a server has a "maxconn" parameter specified, it means that its number of concurrent connections will never go higher. Additionally, if it has a "minconn" parameter, it indicates a dynamic limit following the backend's load. The server will then always accept at least connections, never more than , and the limit will be on the ramp between both values when the backend has less than concurrent connections. This makes it possible to limit the load on the servers during normal loads, but push it further for important loads without overloading the servers during exceptional loads.

I highly suggest reading through the whole document as there is alot of good info in there.

Best Answer

Related Solutions

Ssl – HAProxy not passing SSL traffic in TCP mode (unknown protocol)

Nginx with Passenger behind HAProxy causes 503 errors

Related Topic