Question

Does Haproxy supports backend on https for reverse proxy

Posted October 1, 2015 68.2k views
Networking

Hi ,

I have configured Haproxy servere on linux at 80 port and trying to do reverse proxy with backend on https protocol (443). Is it possible in haparoxy ?

Client –>httptraffic –>Haproxy server–>https traffic–>backend server

Is there any other solution for this scenario?

If I use proxy pass through functionality provided on tcp mode. It did work but client can see the backend server(this is not real reverse proxy)

Thanks !!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers

HAProxy 1.4 does not support ssl backends. Unfortunately, this is the default version in Ubuntu 14.04 and a number of other widely used distros releases. There is a PPA that provides more recent versions for Ubuntu. If you have it installed already, you can upgrade it to 1.5 by running:

  • sudo add-apt-repository ppa:vbernat/haproxy-1.5
  • sudo apt-get update
  • sudo apt-get upgrade

Then, in your HAProxy config (/etc/haproxy/haproxy.cfg), you’d have something like this:

frontend www-http
        bind haproxy.public.ip.addr:80
        reqadd X-Forwarded-Proto:\ http
        default_backend www-backend

backend www-backend
        balance roundrobin
        server web-01 web01.priv.ip.addr:443 check ssl verify none
        server web-02 web01.priv.ip.addr:443 check ssl verify none
  • Thanks for reply..
    I am using haproxy 1.5 version
    I have followed same configurtaion as per the suggestions.
    when I try to hit this server from browser I get following error
    Url : http://10.177.222.83:8080

    Error on browser :

     An error occurred during a connection to 10.177.222.83:8080. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) 
    

    My config file is :

    defaults
        mode                    http
        log                     global
        option                  httplog
        option                  dontlognull
        option http-server-close
        option forwardfor       except 127.0.0.0/8
        option                  redispatch
        retries                 3
        timeout http-request    10s
        timeout queue           1m
        timeout connect         10s
        timeout client          1m
        timeout server          1m
        timeout http-keep-alive 10s
        timeout check           10s
        maxconn                 3000
    
    frontend www-http
            bind  10.177.222.83:8080
            reqadd X-Forwarded-Proto:\ http
            default_backend default-backend
    
    backend default-backend
        balance roundrobin
        server adm-test-platform 10.177.222.82:443 check ssl verify none
    

    Thanks..
    Really appreciate help here

    edited by asb
    • The Error code: ssl_error_rx_record_too_long error is likely coming from Apache on “adm-test-platform” So it seems like HAProxy is likely working correctly, but that Apache on the backend is not configured for serving SSL over 443 right.

  • Asb , Your response to above question was very useful for me, Just a extension to original question .

    Does HA proxy also support 2 way ssl in a haproxy to backend setup.Basically if backend server only support Mutual authentication . How do i configure HAproxy to send in the client certificate to backend server.

    Client –>httptraffic –>(Haproxy server–>https traffic–>backend server)

    Is this some thing achievable .

    Reason why i want to do this is , I do not want to configure client certificates in each one of the client . but HA proxy acts a proxy client for backend so that i configure the client certificate in HA proxy only.

Does somebody resolved the problem? I have the same problem.

Submit an Answer