Join the community today
Register Now

Sysadmin HAproxy with proxy_protocol cause SSL handshaked failed?

Discussion in 'System Administration' started by Chuong Luong, Jul 26, 2021.

  1. Chuong Luong

    Chuong Luong Member

    32
    0
    6
    Aug 8, 2019
    Ratings:
    +2
    Local Time:
    1:50 AM
    Hi,

    I have 2 VPS:

    VPS 1: have 4 sites (behind cloudflare)
    VPS 2: only installed haproxy

    I want to set up a reverse proxy with SSL-passthrough with haproxy, so it will become like this:

    Client => Cloudflare => VPS 2 (proxy) => VPS 1 (4 sites)

    So, VPS 2 with haproxy installed and config as below:

    Code:
    global
       log /dev/log local0
       log /dev/log local1 notice
       chroot /var/lib/haproxy
       stats timeout 30s
       user haproxy
       group haproxy
       daemon
    
    defaults
       log global
       mode tcp
       option tcplog
       option dontlognull
       timeout connect 5000
       timeout client 50000
       timeout server 50000
    
    frontend http_front
       bind *:80
       bind *:443
       tcp-request inspect-delay 5s
       tcp-request content accept if { req.ssl_hello_type 1 }
       use_backend domain1 if { req_ssl_sni -i domain1 }
       use_backend domain2 if { req_ssl_sni -i domain2 }
    
    frontend port80-redirect
       mode http
       bind 10.18.14.33:80
       redirect scheme https
    
    backend domain1
       balance roundrobin
       option ssl-hello-chk
       server domain1 111.111.111.111:443 check send-proxy-v2
    
    backend domain2
       balance roundrobin
       option ssl-hello-chk
       server domain2 111.111.111.111:443 check send-proxy-v2
    And, VPS 1 (used centminmod) with 4 domains, config for Domain 1 & 2: I put "proxy_protocol" in this line in this file /usr/local/nginx/conf/conf.d/domain1(or2).ssl.conf

    Code:
    server {
      listen 443 ssl http2 proxy_protocol;
      server_name domain1(or2) www.domain1(or2);
    
    ...
    }
    Suddenly, all my sites on the same server have SSL handshakes error. After searching around, I also tried putting

    Code:
    proxy_protocol on;
    or

    Code:
    proxy_ssl_server_name on;
    in

    Code:
    /usr/local/nginx/conf/nginx.conf
    /usr/local/nginx/conf/conf.d/domain1(or2).ssl.conf
    
    But, I always have syntax error, or it did not solve the SSL handshake error.


    How can I make this work? Thank you.
     
  2. eva2000

    eva2000 Administrator Staff Member

    47,223
    10,673
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,581
    Local Time:
    4:50 AM
    Nginx 1.19.x
    MariaDB 5.5/10.x
    What is the exact ssl handshake error you are getting ?

    Centmin Mod is provide as is, so short of scripted related bugs or issues, any further optimisation to the web stack components - nginx, php-fpm, mariadb mysql, csf firewall etc or web app specific configurations are left to the Centmin Mod user to deal with. So I do not provide any free support for such.

    However, Centmin Mod users are free to help each other out and ask questions or give answers on this community forum. My hopes are that this community forum evolves so that more veteran long time Centmin Mod users help new Centmin Mod users out :)

    With that said, probably best bet is to ask on Haproxy community forums at HAProxy community