i am having some trouble setting up HAProxy as a TCP load balancer (layer 4) and i would like to have your advice about it.
i've been following many guides on the web and i came up with this configuration (not showing any errors in the logs, it starts well) :
note : real domain names are masked
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
daemon
user haproxy
group haproxy
log /dev/log local6 debug
maxconn 50000
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
#---------------------------------------------------------------------
# common defaults
#---------------------------------------------------------------------
defaults
mode tcp
log global
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
#---------------------------------------------------------------------
# dedicated stats page
#---------------------------------------------------------------------
listen stats
mode http
bind :22222
stats enable
stats uri /haproxy?stats
stats realm Haproxy\ Statistics
stats auth xxxxxx:xxxxxxxx
stats refresh 30s
#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main_https_listen
bind *:443
mode tcp
option tcplog
# -------------------------------
# ACLs - SIT
# -------------------------------
acl acl_SIT_CI5 req.ssl_sni -i url1.domain.net
acl acl_SIT_HR8 req.ssl_sni -i url2.domain.net
# -------------------------------
# Conditions - SIT
# -------------------------------
use_backend backend_SIT_CI5 if acl_SIT_CI5
use_backend backend_SIT_HR8 if acl_SIT_HR8
#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------
backend backend_SIT_CI5
mode tcp
balance source
option ssl-hello-chk
server server_SIT_CI5_1 host1.domain.net:443 check
server server_SIT_CI5_2 host2.domain.net:443 check
backend backend_SIT_HR8
mode tcp
balance source
option ssl-hello-chk
server server_SIT_HR8_1 host1.domain.net:443 check
server server_SIT_HR8_2 host2.domain.net:443 check
i've pointed host1.domain.net to my haproxy vIP (it has a keepalived configuration behind with a Virtual IP).
now when accessing https://url1.domain.net (or even https://loadbalancerURL but i assume this is normal on that one) i have an error This page can't be displayed. Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://host1.domain.net again.
a single openssl s_client gives a ssl handshake failure (no certificates blabla).
do you have any idea of what i did wrong ? also, do i need to setup some certificates as i'm listening on 443 ? (even if i don't want these certs to be decrypted or whatever as i only want my HAProxy to act as a proxy).
i also tried to activate debug mode for logging but it didnt show any errors (nor new logs)
note : the backends are located behind firewalls, the communication between backends to HAProxy is not opened on 443 (only FROM Haproxy to the backends), does it need to be directional ? and why ?
note2: in haproxy stats, i can see all backends UP
also, is there a way to know/check if a redirection based on hostname (SNI) is working fine or not ? (i have the impression that the connection stays at the load balancer and is not redirected to the backend, and this is why i have an error)
a haproxy -vv gives :
HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau <[email protected]>
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
OPTIONS = USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
ew, i made it working by adding this in the frontend (after looking at this post:)
the thing is, i don't know what these options are doing.. or why i need to specify them. does it mean that the HAProxy default behavior is to reject anything ?
The two lines that you have addded ensure that HAProxy has enough time to read the SNI header before chooisng a backend, and also checking it is actually SSL traffic (else rejecting it).
You probably also want to select a default backend:
for an SNI that doesn't match.