Ssl – Unable to configure haproxy with ssl

haproxyload balancingssl

I want to make my server ssl protected, it has two parts one for website and another for application.

to balance them we have used haproxy. Now we want to secure this haproxy. I have installed the certificates and key files

While configuring haproxy.cfg as follow :

frontend https
bind    *:443 ssl crt /etc/ssl/ssl.key/myserver.key /etc/ssl/certs/www_appointpress_com.ca-bundle /etc/ssl/certs/somefile.crt
acl hari path_beg /customers
acl css path_beg /assets
reqadd X-Forwarded-Proto:\ https
default_backend appointpress_site

while restarting haproxy I am getting error like :

bind only supports transparent ...... options.

How can I resolve this error

Best Answer

Try this , in at least this version (own built)

root@server5:~# haproxy -vv

HA-Proxy version 1.5-dev17 2012/12/28
Copyright 2000-2012 Willy Tarreau <w@1wt.eu>

Build options :
  TARGET  = linux2628
  CPU     = native
  CC      = gcc
  CFLAGS  = -O2 -march=native -g -fno-strict-aliasing
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 USE_STATIC_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.3.4
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Then try a configuration of this kind in haproxy

listen ssl_relay 192.168.128.101:443
    # this only works with 1.5 haproxy, it accepts multiple SSL en sends it 
    # off to the correct backend which does the SSL termination.
    mode tcp
    balance roundrobin
    option tcplog
    option socket-stats
    # option ssl-hello-chk  -> This is not be needed anymore, in fact, 
    # it needs to be off

    # maximum SSL session ID length is 32 bytes.
    stick-table type binary len 32 size 30k expire 30m

    # make sure we cover type 1 (fallback), although chances are it will
    # not route correctly, it will terminate on ssl
    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2

    # use tcp content accepts to detects ssl client and server hello.
    tcp-request inspect-delay 5s
    tcp-request content accept if clienthello

    # no timeout on response inspect delay by default.
    tcp-response content accept if serverhello

    # SSL session ID (SSLID) may be present on a client or server hello.
    # Its length is coded on 1 byte at offset 43 and its value starts
    # at offset 44.

    # Match and learn on request if client hello.
    stick on payload_lv(43,1) if clienthello

    # Learn on response if server hello.
    stick store-response payload_lv(43,1) if serverhello

    # intercept incoming TLS requests based on the SNI field
    use-server xtp2_83 if { req_ssl_sni -i proudsslsite.com }
    use-server xtp2_83 if { req_ssl_sni -i www.proudsslsite.com }

    use-server xtp2_84 if { req_ssl_sni -i myothersecuremasterpiece.net }
    use-server xtp2_84 if { req_ssl_sni -i www.myothersecuremasterpiece.net } 

    server xtp2_83 192.168.128.1:483 weight 0
    server xtp2_84 192.168.128.2:484 weight 0

    # all the rest is forwarded to this server
    server xtp_default 192.168.128.3:443 check inter 10000 rise 2 fall 2

You just need to terminate the SSL on your webservers inside. So encrypt traffic all the way. This works for me.

Related Topic