Skip to content

Instantly share code, notes, and snippets.

@meanevo
Last active June 22, 2024 07:49
Show Gist options
  • Save meanevo/f962a8fa5763862ab6cd94addbc4dd8d to your computer and use it in GitHub Desktop.
Save meanevo/f962a8fa5763862ab6cd94addbc4dd8d to your computer and use it in GitHub Desktop.
HAProxy without SSL Termination
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 2048
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
# ssl settings, as we want to get pretty result
# @ https://www.ssllabs.com/ssltest
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
mode tcp
log global
option dontlog-normal
option tcpka
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 5s
#---------------------------------------------------------------------
# frontend which proxys raw/ssl request to the backends
#---------------------------------------------------------------------
frontend http
mode http
bind :::80 v4v6
default_backend local_http
frontend https
bind :::443 v4v6
default_backend local_https
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
#---------------------------------------------------------------------
# balancing between the various backends
#---------------------------------------------------------------------
backend local_http
server nginx_http 127.0.0.1:8008 check send-proxy
backend local_https
# maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
# no timeout on response inspect delay by default.
tcp-response content accept if serverhello
# SSL session ID (SSLID) may be present on a client or server hello.
# Its length is coded on 1 byte at offset 43 and its value starts
# at offset 44.
# Match and learn on request if client hello.
stick on payload_lv(43,1) if clienthello
# learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello
server nginx_https 127.0.0.1:8443 check send-proxy
@et304383
Copy link

Where is the server nginx_https defined?

The reason I ask is we're trying to figure out how to do acl routing on https without doing tls (ssl) termination on haproxy.

@bradchesney79
Copy link

...it is a little late and I'm just putting it out there for the next person. @et304383 , nginx_https is just the label for the server and will show up in the logs. Arbitrary random string you feel is most appropriate plucked from your imagination for all intents and purposes.

@zx1986
Copy link

zx1986 commented Feb 2, 2023

I got curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 127.0.0.1:443
after I upgrade haproxy to 2.4.x, this configuration works, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment