Last active
May 24, 2023 15:43
-
-
Save meanevo/f962a8fa5763862ab6cd94addbc4dd8d to your computer and use it in GitHub Desktop.
HAProxy without SSL Termination
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #--------------------------------------------------------------------- | |
| # Global settings | |
| #--------------------------------------------------------------------- | |
| global | |
| log 127.0.0.1 local2 | |
| chroot /var/lib/haproxy | |
| pidfile /var/run/haproxy.pid | |
| maxconn 2048 | |
| user haproxy | |
| group haproxy | |
| daemon | |
| # turn on stats unix socket | |
| stats socket /var/lib/haproxy/stats | |
| # ssl settings, as we want to get pretty result | |
| # @ https://www.ssllabs.com/ssltest | |
| tune.ssl.default-dh-param 2048 | |
| ssl-default-bind-options no-sslv3 no-tls-tickets | |
| ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA | |
| #--------------------------------------------------------------------- | |
| # common defaults that all the 'listen' and 'backend' sections will | |
| # use if not designated in their block | |
| #--------------------------------------------------------------------- | |
| defaults | |
| mode tcp | |
| log global | |
| option dontlog-normal | |
| option tcpka | |
| retries 3 | |
| timeout http-request 10s | |
| timeout queue 1m | |
| timeout connect 10s | |
| timeout client 1m | |
| timeout server 1m | |
| timeout http-keep-alive 10s | |
| timeout check 5s | |
| #--------------------------------------------------------------------- | |
| # frontend which proxys raw/ssl request to the backends | |
| #--------------------------------------------------------------------- | |
| frontend http | |
| mode http | |
| bind :::80 v4v6 | |
| default_backend local_http | |
| frontend https | |
| bind :::443 v4v6 | |
| default_backend local_https | |
| # use tcp content accepts to detects ssl client and server hello. | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if { req_ssl_hello_type 1 } | |
| #--------------------------------------------------------------------- | |
| # balancing between the various backends | |
| #--------------------------------------------------------------------- | |
| backend local_http | |
| server nginx_http 127.0.0.1:8008 check send-proxy | |
| backend local_https | |
| # maximum SSL session ID length is 32 bytes. | |
| stick-table type binary len 32 size 30k expire 30m | |
| acl clienthello req_ssl_hello_type 1 | |
| acl serverhello rep_ssl_hello_type 2 | |
| # use tcp content accepts to detects ssl client and server hello. | |
| tcp-request inspect-delay 5s | |
| tcp-request content accept if clienthello | |
| # no timeout on response inspect delay by default. | |
| tcp-response content accept if serverhello | |
| # SSL session ID (SSLID) may be present on a client or server hello. | |
| # Its length is coded on 1 byte at offset 43 and its value starts | |
| # at offset 44. | |
| # Match and learn on request if client hello. | |
| stick on payload_lv(43,1) if clienthello | |
| # learn on response if server hello. | |
| stick store-response payload_lv(43,1) if serverhello | |
| server nginx_https 127.0.0.1:8443 check send-proxy |
...it is a little late and I'm just putting it out there for the next person. @et304383 , nginx_https is just the label for the server and will show up in the logs. Arbitrary random string you feel is most appropriate plucked from your imagination for all intents and purposes.
I got curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 127.0.0.1:443
after I upgrade haproxy to 2.4.x, this configuration works, thanks!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Where is the server nginx_https defined?
The reason I ask is we're trying to figure out how to do acl routing on https without doing tls (ssl) termination on haproxy.