0

Im currently using apache (Ubuntu) on server 1 (ports 80 and 443) which has multiple domain names and a wildcard ssl certificate. All works perfectly at the moment.

I want to set up haproxy on server 1 to route traffic destined for domain_name_1 to server 2 (which does not have an ssl certificate on it) and all the traffic destined for the other domain_names should be forwarded from haproxy to apache on server 1. I have made various changes such as installing haproxy on server 1 and making it listen on ports 80 and 443, changing apache on server 1 to listen on new ports (8888 and 9999) but still I get the following problem:

Traffic for the domain_name_1 is correctly sent to server 2 and ssl is working as well. The problem is with all the other domains that should be sent to apache on server 1, those domains return a web browser error of 503 and looking in the haproxy logs I have many SSL handshake errors.

I read somewhere it could either be SSL certificate issues, haproxy sni issues or Apache config file issues but I'm really at a loss here and for the past several days been pulling my hair out.

this was my current haproxy config, does it look ok?

*

global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon tune.ssl.default-dh-param 2048 # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # SSL settings ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-> ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 ssl-default-bind-options ssl-min-ver TLSv1.0 no-tls-tickets defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http # Frontend settings frontend http-in bind *:80 mode http acl is_theysback hdr(host) -i domain_name_1.com use_backend theysback_backend if is_theysback default_backend apache_backend frontend https-in bind *:443 ssl crt /etc/webmin/letsencrypt-fullnew.pem acl is_theysback hdr(host) -i domain_name_1.com use_backend theysback_backend if is_theysback default_backend apache_backend_ssl # Backends - IP of SERVER 2 backend theysback_backend server server2 77.88.99.66:80 check backend apache_backend server apache1 localhost:8888 backend apache_backend_ssl server apache1 localhost:9999 ssl ca-file /etc/webmin/letsencrypt-ca.pem

######################################################

In the config above I am using this crt for ssl binding:

/etc/webmin/letsencrypt-fullnew.pem

which was created as follows:

sudo cat /etc/webmin/letsencrypt-ca.pem /etc/webmin/letsencrypt-cert.pem /etc/webmin/letsencrypt-key.pem > /etc/webmin/letsencrypt-fullnew.pem

and inside contains:

-----BEGIN CERTIFICATE----- ......... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ......... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ......... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ......... -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- ......... -----END PRIVATE KEY-----

######################################################

The apache configs for the domains having issues (503 SSL handshake errors):

sites-enabled DOMAIN-1-SHOULD-STAY-ON-SERVER-1-SENT-TO-APACHE.conf

<VirtualHost *:8888> ServerAdmin admin@domain_name_2.com ServerName domain_name_1.com ServerAlias www.domain_name_1.com DocumentRoot /var/www/theysback/public_html <Directory /var/www/theysback/public_html> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined RewriteEngine on RewriteCond %{SERVER_NAME} =domain_name_1.com [OR] RewriteCond %{SERVER_NAME} =www.domain_name_1.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost>

sites-enabled DOMAIN-2-SHOULD-STAY-ON-SERVER-1-SENT-TO-APACHE.conf

<IfModule mod_ssl.c> <VirtualHost *:9999> ServerAdmin admin@domain_name_2.com ServerName domain_name_2.com DocumentRoot /var/www/theysbacksubdomain/public_html <Directory /var/www/theysbacksubdomain/public_html> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined SSLEngine on SSLCertificateFile /etc/webmin/letsencrypt-cert.pem SSLCertificateKeyFile /etc/webmin/letsencrypt-key.pem SSLCACertificateFile /etc/webmin/letsencrypt-ca.pem # IP of SERVER 1 ProxyPreserveHost On ProxyPass / http://44.22.99.33:7000/ ProxyPassReverse / http://44.22.99.33:7000/ # </VirtualHost> <VirtualHost *:8888> DocumentRoot /var/www/theysbacksubdomain/public_html ServerName domain_name_2.com <Directory /var/www/theysbacksubdomain/public_html> Options None Require all granted </Directory> RewriteEngine on RewriteCond %{SERVER_NAME} =domain_name_2.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent] </VirtualHost> </IfModule>

Any suggestions would be extremely welcome

Improve this question
2
  • If your Apache on port 9999 uses SSL/TLS then you need to use server apache1 localhost:9999 ssl. Commented Apr 24, 2024 at 13:32
  • Thanks for the suggestion, I tried it and still no joy unless I am doing something wrong? I updated the config in my initial post with your suggestion and put more info Commented Apr 25, 2024 at 0:02

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.