Skip to main content
Server Fault

Return to Question

more information + additional suggestion from @AlexD
Source Link
Starstruc8
Starstruc8
  • 1
  • 1

I want to set up haproxy on server 11 to route traffic destined for domain_name_1 to server 22 (which does not have an ssl certificate on it) and all the traffic destined for the other domain_names should be forwarded from haproxy to apache on server 1. I have made various changes such as installing haproxy on server 1 and making it listen on ports 80 and 443, changing apache on server 1 to listen on new ports (8888 and 9999) but still I get the following problem:

I read somewhere it could either be SSL certificate issues, haoroxyhaproxy sni issues or Apache config file issues but I'm really at a loss here and for the past several days been pulling my hair out.

this was my current haproxy confighaproxy config, does it look ok?

global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon tune.ssl.default-dh-param 2048  # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private   # SSL settings ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-> ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.20 no-tls-tickets   defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http  # Frontend settings frontend http-in bind *:80 mode http acl is_theysback hdr(host) -i domain_name_1.com use_backend theysback_backend if is_theysback default_backend apache_backend   frontend https-in bind *:443 ssl crt /etc/webmin/letsencrypt-fullnew.pem acl is_theysback hdr(host) -i domain_name_1.com use_backend theysback_backend if is_theysback default_backend apache_backend_ssl   # Backends - IP of SERVER 2 backend theysback_backend server server2 77.88.99.66:80 check   backend apache_backend server apache1 localhost:8888   backend apache_backend_ssl server apache1 localhost:9999 ssl ca-file /etc/webmin/letsencrypt-ca.pem
 

######################################################

In the config above I am using this crt for ssl binding:

/etc/webmin/letsencrypt-fullnew.pem

which was created as follows:

sudo cat /etc/webmin/letsencrypt-ca.pem /etc/webmin/letsencrypt-cert.pem /etc/webmin/letsencrypt-key.pem > /etc/webmin/letsencrypt-fullnew.pem

and inside contains:

-----BEGIN CERTIFICATE----- ......... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ......... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ......... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ......... -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- ......... -----END PRIVATE KEY-----

######################################################

The apache configs for the domains having issues (503 SSL handshake errors):

sites-enabled DOMAIN-1-SHOULD-STAY-ON-SERVER-1-SENT-TO-APACHE.conf

<VirtualHost *:8888> ServerAdmin admin@domain_name_2.com ServerName domain_name_1.com ServerAlias www.domain_name_1.com DocumentRoot /var/www/theysback/public_html <Directory /var/www/theysback/public_html> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined RewriteEngine on RewriteCond %{SERVER_NAME} =domain_name_1.com [OR] RewriteCond %{SERVER_NAME} =www.domain_name_1.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost>

sites-enabled DOMAIN-2-SHOULD-STAY-ON-SERVER-1-SENT-TO-APACHE.conf

<IfModule mod_ssl.c> <VirtualHost *:9999> ServerAdmin admin@domain_name_2.com ServerName domain_name_2.com DocumentRoot /var/www/theysbacksubdomain/public_html <Directory /var/www/theysbacksubdomain/public_html> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/webmin/letsencrypt-cert.pem SSLCertificateKeyFile /etc/webmin/letsencrypt-key.pem SSLCACertificateFile /etc/webmin/letsencrypt-ca.pem # IP of SERVER 1 ProxyPreserveHost On ProxyPass / http://44.22.99.33:7000/ ProxyPassReverse / http://44.22.99.33:7000/ # </VirtualHost> <VirtualHost *:8888> DocumentRoot /var/www/theysbacksubdomain/public_html ServerName domain_name_2.com <Directory /var/www/theysbacksubdomain/public_html> Options None Require all granted </Directory> RewriteEngine on RewriteCond %{SERVER_NAME} =domain_name_2.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost> </IfModule>

I want to set up haproxy on server 1 to route traffic destined for domain_name_1 to server 2 (which does not have an ssl certificate on it) and all the traffic destined for the other domain_names should be forwarded from haproxy to apache on server 1. I have made various changes such as installing haproxy on server 1 and making it listen on ports 80 and 443, changing apache on server 1 to listen on new ports (8888 and 9999) but still I get the following problem:

I read somewhere it could either be SSL certificate issues, haoroxy sni issues or Apache config file issues but I'm really at a loss here and for the past several days been pulling my hair out.

this was my current haproxy config, does it look ok?

global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # SSL settings ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-> ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http # Frontend settings frontend http-in bind *:80 mode http acl is_theysback hdr(host) -i domain_name_1.com use_backend theysback_backend if is_theysback default_backend apache_backend frontend https-in bind *:443 ssl crt /etc/webmin/letsencrypt-fullnew.pem acl is_theysback hdr(host) -i domain_name_1.com use_backend theysback_backend if is_theysback default_backend apache_backend_ssl # Backends backend theysback_backend server server2 77.88.99.66:80 check backend apache_backend server apache1 localhost:8888 backend apache_backend_ssl server apache1 localhost:9999
 

I want to set up haproxy on server 1 to route traffic destined for domain_name_1 to server 2 (which does not have an ssl certificate on it) and all the traffic destined for the other domain_names should be forwarded from haproxy to apache on server 1. I have made various changes such as installing haproxy on server 1 and making it listen on ports 80 and 443, changing apache on server 1 to listen on new ports (8888 and 9999) but still I get the following problem:

I read somewhere it could either be SSL certificate issues, haproxy sni issues or Apache config file issues but I'm really at a loss here and for the past several days been pulling my hair out.

this was my current haproxy config, does it look ok?

global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon tune.ssl.default-dh-param 2048  # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private   # SSL settings ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-> ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.0 no-tls-tickets   defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http  # Frontend settings frontend http-in bind *:80 mode http acl is_theysback hdr(host) -i domain_name_1.com use_backend theysback_backend if is_theysback default_backend apache_backend   frontend https-in bind *:443 ssl crt /etc/webmin/letsencrypt-fullnew.pem acl is_theysback hdr(host) -i domain_name_1.com use_backend theysback_backend if is_theysback default_backend apache_backend_ssl   # Backends - IP of SERVER 2 backend theysback_backend server server2 77.88.99.66:80 check   backend apache_backend server apache1 localhost:8888   backend apache_backend_ssl server apache1 localhost:9999 ssl ca-file /etc/webmin/letsencrypt-ca.pem

######################################################

In the config above I am using this crt for ssl binding:

/etc/webmin/letsencrypt-fullnew.pem

which was created as follows:

sudo cat /etc/webmin/letsencrypt-ca.pem /etc/webmin/letsencrypt-cert.pem /etc/webmin/letsencrypt-key.pem > /etc/webmin/letsencrypt-fullnew.pem

and inside contains:

-----BEGIN CERTIFICATE----- ......... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ......... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ......... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ......... -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- ......... -----END PRIVATE KEY-----

######################################################

The apache configs for the domains having issues (503 SSL handshake errors):

sites-enabled DOMAIN-1-SHOULD-STAY-ON-SERVER-1-SENT-TO-APACHE.conf

<VirtualHost *:8888> ServerAdmin admin@domain_name_2.com ServerName domain_name_1.com ServerAlias www.domain_name_1.com DocumentRoot /var/www/theysback/public_html <Directory /var/www/theysback/public_html> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined RewriteEngine on RewriteCond %{SERVER_NAME} =domain_name_1.com [OR] RewriteCond %{SERVER_NAME} =www.domain_name_1.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost>

sites-enabled DOMAIN-2-SHOULD-STAY-ON-SERVER-1-SENT-TO-APACHE.conf

<IfModule mod_ssl.c> <VirtualHost *:9999> ServerAdmin admin@domain_name_2.com ServerName domain_name_2.com DocumentRoot /var/www/theysbacksubdomain/public_html <Directory /var/www/theysbacksubdomain/public_html> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/webmin/letsencrypt-cert.pem SSLCertificateKeyFile /etc/webmin/letsencrypt-key.pem SSLCACertificateFile /etc/webmin/letsencrypt-ca.pem # IP of SERVER 1 ProxyPreserveHost On ProxyPass / http://44.22.99.33:7000/ ProxyPassReverse / http://44.22.99.33:7000/ # </VirtualHost> <VirtualHost *:8888> DocumentRoot /var/www/theysbacksubdomain/public_html ServerName domain_name_2.com <Directory /var/www/theysbacksubdomain/public_html> Options None Require all granted </Directory> RewriteEngine on RewriteCond %{SERVER_NAME} =domain_name_2.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost> </IfModule>
Source Link
Starstruc8
Starstruc8
  • 1
  • 1

Haproxy SSL handshake errors for local Apache traffic only

Im currently using apache (Ubuntu) on server 1 (ports 80 and 443) which has multiple domain names and a wildcard ssl certificate. All works perfectly at the moment.

I want to set up haproxy on server 1 to route traffic destined for domain_name_1 to server 2 (which does not have an ssl certificate on it) and all the traffic destined for the other domain_names should be forwarded from haproxy to apache on server 1. I have made various changes such as installing haproxy on server 1 and making it listen on ports 80 and 443, changing apache on server 1 to listen on new ports (8888 and 9999) but still I get the following problem:

Traffic for the domain_name_1 is correctly sent to server 2 and ssl is working as well. The problem is with all the other domains that should be sent to apache on server 1, those domains return a web browser error of 503 and looking in the haproxy logs I have many SSL handshake errors.

I read somewhere it could either be SSL certificate issues, haoroxy sni issues or Apache config file issues but I'm really at a loss here and for the past several days been pulling my hair out.

this was my current haproxy config, does it look ok?

*

global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # SSL settings ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-> ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http # Frontend settings frontend http-in bind *:80 mode http acl is_theysback hdr(host) -i domain_name_1.com use_backend theysback_backend if is_theysback default_backend apache_backend frontend https-in bind *:443 ssl crt /etc/webmin/letsencrypt-fullnew.pem acl is_theysback hdr(host) -i domain_name_1.com use_backend theysback_backend if is_theysback default_backend apache_backend_ssl # Backends backend theysback_backend server server2 77.88.99.66:80 check backend apache_backend server apache1 localhost:8888 backend apache_backend_ssl server apache1 localhost:9999

Any suggestions would be extremely welcome