/ Register

Learn about Centmin Mod LEMP Stack today
Become a Member

Sysadmin HAproxy with proxy_protocol cause SSL handshaked failed?

Discussion in 'System Administration' started by Chuong Luong, Jul 26, 2021.

Previous Thread Next Thread
Loading...
  1. Jul 26, 2021 #1
    Chuong Luong

    Chuong Luong Member

    39
    1
    8
    Aug 8, 2019
    Ratings:
    +5
    Local Time:
    5:55 PM
    Hi,

    I have 2 VPS:

    VPS 1: have 4 sites (behind cloudflare)
    VPS 2: only installed haproxy

    I want to set up a reverse proxy with SSL-passthrough with haproxy, so it will become like this:

    Client => Cloudflare => VPS 2 (proxy) => VPS 1 (4 sites)

    So, VPS 2 with haproxy installed and config as below:

    Code:
    global
   log /dev/log local0
   log /dev/log local1 notice
   chroot /var/lib/haproxy
   stats timeout 30s
   user haproxy
   group haproxy
   daemon

defaults
   log global
   mode tcp
   option tcplog
   option dontlognull
   timeout connect 5000
   timeout client 50000
   timeout server 50000

frontend http_front
   bind *:80
   bind *:443
   tcp-request inspect-delay 5s
   tcp-request content accept if { req.ssl_hello_type 1 }
   use_backend domain1 if { req_ssl_sni -i domain1 }
   use_backend domain2 if { req_ssl_sni -i domain2 }

frontend port80-redirect
   mode http
   bind 10.18.14.33:80
   redirect scheme https

backend domain1
   balance roundrobin
   option ssl-hello-chk
   server domain1 111.111.111.111:443 check send-proxy-v2

backend domain2
   balance roundrobin
   option ssl-hello-chk
   server domain2 111.111.111.111:443 check send-proxy-v2
    And, VPS 1 (used centminmod) with 4 domains, config for Domain 1 & 2: I put "proxy_protocol" in this line in this file /usr/local/nginx/conf/conf.d/domain1(or2).ssl.conf

    Code:
    server {
  listen 443 ssl http2 proxy_protocol;
  server_name domain1(or2) www.domain1(or2);

...
}
    Suddenly, all my sites on the same server have SSL handshakes error. After searching around, I also tried putting

    Code:
    proxy_protocol on;
    or

    Code:
    proxy_ssl_server_name on;
    in

    Code:
    /usr/local/nginx/conf/nginx.conf
/usr/local/nginx/conf/conf.d/domain1(or2).ssl.conf
    But, I always have syntax error, or it did not solve the SSL handshake error.

    How can I make this work? Thank you.
     
  2. Jul 26, 2021 #2
    eva2000

    eva2000 Administrator Staff Member

    47,853
    10,920
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,961
    Local Time:
    8:55 PM
    Nginx 1.21.x
    MariaDB 10.x
    What is the exact ssl handshake error you are getting ?

    Centmin Mod is provide as is, so short of scripted related bugs or issues, any further optimisation to the web stack components - nginx, php-fpm, mariadb mysql, csf firewall etc or web app specific configurations are left to the Centmin Mod user to deal with. So I do not provide any free support for such.

    However, Centmin Mod users are free to help each other out and ask questions or give answers on this community forum. My hopes are that this community forum evolves so that more veteran long time Centmin Mod users help new Centmin Mod users out :)

    With that said, probably best bet is to ask on Haproxy community forums at HAProxy community
     
  3. Jan 2, 2022 #3
    pthalmann

    pthalmann New Member

    2
    0
    1
    Jan 17, 2019
    Italy
    Ratings:
    +0
    Local Time:
    11:55 AM
    I am having similar issues, are there any Updates top this tread?
     
  4. Jan 2, 2022 #4
    eva2000

    eva2000 Administrator Staff Member

    47,853
    10,920
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +16,961
    Local Time:
    8:55 PM
    Nginx 1.21.x
    MariaDB 10.x
  5. Jan 3, 2022 #5
    Chuong Luong

    Chuong Luong Member

    39
    1
    8
    Aug 8, 2019
    Ratings:
    +5
    Local Time:
    5:55 PM
    I am using this exact config

    Code:
    frontend http_front
   bind *:80
   bind *:443
   tcp-request inspect-delay 5s
   tcp-request content accept if { req.ssl_hello_type 1 }
   use_backend domain1_com if { req_ssl_sni -i domain1.com }
   use_backend domain2_net if { req_ssl_sni -i domain2.net }

frontend port80-redirect
   mode http
   bind 10.18.14.33:80
   redirect scheme https

backend domain1_com
   balance roundrobin
   option ssl-hello-chk
   server domain1 111.111.111.111:443 send-proxy-v2 check

backend domain2_net
   balance roundrobin
   option ssl-hello-chk
   server domain2 111.111.111.111:443 send-proxy-v2 check
    with "proxy_protocol;" MUST BE PUT IN BOTH VHOSTS

    Code:
    DOMAIN 1 VHOST
server {
  listen 443 ssl http2 proxy_protocol;
  server_name domain1.com www.domain1.com;

...
}

DOMAIN 2 VHOST
server {
  listen 443 ssl http2 proxy_protocol;
  server_name domain2.net www.domain2.net;

...
}
     
Previous Thread Next Thread
Loading...

.