Join the community today
Register Now

Sysadmin HAproxy with proxy_protocol cause SSL handshaked failed?

Discussion in 'System Administration' started by Chuong Luong, Jul 26, 2021.

  1. Chuong Luong

    Chuong Luong Member

    39
    1
    8
    Aug 8, 2019
    Ratings:
    +5
    Local Time:
    2:15 PM
    Hi,

    I have 2 VPS:

    VPS 1: have 4 sites (behind cloudflare)
    VPS 2: only installed haproxy

    I want to set up a reverse proxy with SSL-passthrough with haproxy, so it will become like this:

    Client => Cloudflare => VPS 2 (proxy) => VPS 1 (4 sites)

    So, VPS 2 with haproxy installed and config as below:

    Code:
    global
       log /dev/log local0
       log /dev/log local1 notice
       chroot /var/lib/haproxy
       stats timeout 30s
       user haproxy
       group haproxy
       daemon
    
    defaults
       log global
       mode tcp
       option tcplog
       option dontlognull
       timeout connect 5000
       timeout client 50000
       timeout server 50000
    
    frontend http_front
       bind *:80
       bind *:443
       tcp-request inspect-delay 5s
       tcp-request content accept if { req.ssl_hello_type 1 }
       use_backend domain1 if { req_ssl_sni -i domain1 }
       use_backend domain2 if { req_ssl_sni -i domain2 }
    
    frontend port80-redirect
       mode http
       bind 10.18.14.33:80
       redirect scheme https
    
    backend domain1
       balance roundrobin
       option ssl-hello-chk
       server domain1 111.111.111.111:443 check send-proxy-v2
    
    backend domain2
       balance roundrobin
       option ssl-hello-chk
       server domain2 111.111.111.111:443 check send-proxy-v2
    And, VPS 1 (used centminmod) with 4 domains, config for Domain 1 & 2: I put "proxy_protocol" in this line in this file /usr/local/nginx/conf/conf.d/domain1(or2).ssl.conf

    Code:
    server {
      listen 443 ssl http2 proxy_protocol;
      server_name domain1(or2) www.domain1(or2);
    
    ...
    }
    Suddenly, all my sites on the same server have SSL handshakes error. After searching around, I also tried putting

    Code:
    proxy_protocol on;
    or

    Code:
    proxy_ssl_server_name on;
    in

    Code:
    /usr/local/nginx/conf/nginx.conf
    /usr/local/nginx/conf/conf.d/domain1(or2).ssl.conf
    
    But, I always have syntax error, or it did not solve the SSL handshake error.


    How can I make this work? Thank you.
     
  2. eva2000

    eva2000 Administrator Staff Member

    48,850
    11,173
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,406
    Local Time:
    5:15 PM
    Nginx 1.21.x
    MariaDB 10.x
    What is the exact ssl handshake error you are getting ?

    Centmin Mod is provide as is, so short of scripted related bugs or issues, any further optimisation to the web stack components - nginx, php-fpm, mariadb mysql, csf firewall etc or web app specific configurations are left to the Centmin Mod user to deal with. So I do not provide any free support for such.

    However, Centmin Mod users are free to help each other out and ask questions or give answers on this community forum. My hopes are that this community forum evolves so that more veteran long time Centmin Mod users help new Centmin Mod users out :)

    With that said, probably best bet is to ask on Haproxy community forums at HAProxy community
     
  3. pthalmann

    pthalmann New Member

    2
    0
    1
    Jan 17, 2019
    Italy
    Ratings:
    +0
    Local Time:
    9:15 AM
    I am having similar issues, are there any Updates top this tread?
     
  4. eva2000

    eva2000 Administrator Staff Member

    48,850
    11,173
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +17,406
    Local Time:
    5:15 PM
    Nginx 1.21.x
    MariaDB 10.x
  5. Chuong Luong

    Chuong Luong Member

    39
    1
    8
    Aug 8, 2019
    Ratings:
    +5
    Local Time:
    2:15 PM
    I am using this exact config

    Code:
    frontend http_front
       bind *:80
       bind *:443
       tcp-request inspect-delay 5s
       tcp-request content accept if { req.ssl_hello_type 1 }
       use_backend domain1_com if { req_ssl_sni -i domain1.com }
       use_backend domain2_net if { req_ssl_sni -i domain2.net }
    
    frontend port80-redirect
       mode http
       bind 10.18.14.33:80
       redirect scheme https
    
    backend domain1_com
       balance roundrobin
       option ssl-hello-chk
       server domain1 111.111.111.111:443 send-proxy-v2 check
    
    backend domain2_net
       balance roundrobin
       option ssl-hello-chk
       server domain2 111.111.111.111:443 send-proxy-v2 check
    with "proxy_protocol;" MUST BE PUT IN BOTH VHOSTS

    Code:
    DOMAIN 1 VHOST
    server {
      listen 443 ssl http2 proxy_protocol;
      server_name domain1.com www.domain1.com;
    
    ...
    }
    
    DOMAIN 2 VHOST
    server {
      listen 443 ssl http2 proxy_protocol;
      server_name domain2.net www.domain2.net;
    
    ...
    }