Home / server / Questions / 276862
Accepted
robbyt
Asked: 2011-06-04 13:25:03 +0800 CST

haproxy SSL "fail whale" maintenance page

  • 772

We're using haproxy's custom error page feature to show a "fail whale" maintenance page while we're doing deployments to our site.

However, since haproxy cannot show SSL'd users the custom error page, how can I redirect users to a non-SSL'd connection, to show the "fail whale" if there are no backends available?

ssl redirect haproxy

3 Answers

  1. As I understand it, you can't redirect clients from within haproxy since it can't interact with SSL connections at all (can't decrypt the request or encrypt the response with the redirection). The connection has to go to some server with SSL support in order to do this.

    The only thing I can think of is to set up another webserver with the SSL key/cert and the fail whale page (could even be running on some odd port on the haproxy machine itself, use localhost:4433 or something like that), and have haproxy send all the SSL connections to that server during maintenance.

    • 2
  2. Best Answer

    I ended up installing stunnel on the load balancer, and redirecting traffic back onto port 80 thru the tunnel.

    HTTPs client => haproxy:443 => (no backends available, use 'backup' server 127.0.0.1:4443) => 127.0.0.1:443 (stunnel) => 127.0.0.1:80 (haproxy, with failwhale page)

    haproxy.conf

    listen SSL-via-shared-ip 1.2.3.2:443
   mode tcp
   option ssl-hello-chk
   #option httpchk OPTIONS * HTTP/1.1\r\nHost:\ www
   option httpchk HEAD /test.txt HTTP/1.0

# list of web servers
server app1 1.2.3.4:443 check port 80 maxconn 60  
server app2 1.2.3.5:443 check port 80 maxconn 60  
server failwhale 127.0.0.1:4443 backup maxconn 500


    #error pages#
    ##these are in raw http, not just html ##
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

    stunnel.conf

    ; Protocol version (all, SSLv2, SSLv3, TLSv1)
sslVersion = all

options = NO_SSLv2

; PID is created inside the chroot jail
pid = /var/run/stunnel4/stunnel4.pid

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Some debugging stuff useful for troubleshooting
debug = 7
output = /var/log/stunnel4/stunnel.log

; Certificate/key is needed in server mode and optional in client mode
cert = /etc/ssl/certs/stunnel.pem
key = /etc/ssl/certs/stunnel.pem


; Some security enhancements for UNIX systems - comment them out on Win32
;chroot = /var/lib/stunnel4/
setuid = stunnel4
setgid = stunnel4

; Service-level configuration

[failwhale]
accept  = 4443
connect = 127.0.0.1:80
TIMEOUTclose = 0
    • 2

  3. The only way HAProxy can do this is if it is also terminating the SSL connections. In this setup the HAProxy server(s) would have the SSL certificates and it would communicate with the server pool via further SSL (a new connection) or straight up HTTP.

    Another option is to have a SSL-enabled webserver just for fail-whale serving that'll serve up the same fail-whale page no matter what URI it is passed. That way, you can keep that one server as the 'backup' server and any attempts to connect will get whale-goodness.

    • 1