We would like to use haproxy ingress 1.7 on kubernetes to listen on 55560 port for https connection.
Could you please assist in this regard?
Here is my haproxy.cfg file. When trying to access, getting curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection error.
Https on 443 works fine.
Regards,
Kalyan
# _version=5
# HAProxy Technologies
# https://www.haproxy.com/
# this file is not meant to be changed directly
# it is under haproxy ingress controller management
global
localpeer local
master-worker
pidfile /var/run/haproxy.pid
stats socket /var/run/haproxy-runtime-api.sock expose-fd listeners level admin
stats timeout 1m
tune.ssl.default-dh-param 2048
ssl-default-bind-options no-sslv3 no-tls-tickets no-tlsv10
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
log stdout format raw daemon
server-state-file global
server-state-base /var/state/haproxy/
defaults
log global
log-format '%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs "%HM %[var(txn.base)] %HV"'
option redispatch
option dontlognull
option http-keep-alive
timeout http-request 5s
timeout connect 5s
timeout client 50s
timeout queue 5s
timeout server 50s
timeout tunnel 1h
timeout http-keep-alive 1m
load-server-state-from-file global
peers localinstance
peer local 127.0.0.1:10000
frontend healthz
mode http
bind 0.0.0.0:1042 name v4
bind :::1042 name v6 v4v6
monitor-uri /healthz
option dontlog-normal
frontend http
mode http
bind 0.0.0.0:80 name v4
bind :::80 name v6
tcp-request connection expect-proxy layer4 if { src -f /etc/haproxy/maps/proxy-protocol-827c05ecc804eacf23a63899ca0ffcf6.map }
http-request set-var(txn.base) base
http-request set-var(txn.path) path
http-request set-var(txn.host) req.hdr(Host),field(1,:),lower
http-request set-var(txn.host_match) var(txn.host),map(/etc/haproxy/maps/host.map)
http-request set-var(txn.host_match) var(txn.host),regsub(^[^.]*,,),map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host_match) -m found }
http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map)
http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.path_match) -m found }
use_backend %[var(txn.path_match),field(1,.)]
default_backend default-default-ingress-default-backend-port-1
frontend https
mode http
bind 127.0.0.1:443 name v4 accept-proxy
bind ::1:443 name v6 v4v6 accept-proxy
http-request set-var(txn.base) base
http-request set-var(txn.path) path
http-request set-var(txn.host) req.hdr(Host),field(1,:),lower
http-request set-var(txn.host_match) var(txn.host),map(/etc/haproxy/maps/host.map)
http-request set-var(txn.host_match) var(txn.host),regsub(^[^.]*,,),map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host_match) -m found }
http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map)
http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.path_match) -m found }
http-request set-header X-Forwarded-Proto https
use_backend %[var(txn.path_match),field(1,.)]
default_backend default-default-ingress-default-backend-port-1
frontend ssl
mode tcp
bind 0.0.0.0:443 name v4
bind :::443 name v6 v4v6
log-format '%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs haproxy.MAP_SNI: %[var(sess.sni)]'
tcp-request content reject if !{ req_ssl_hello_type 1 }
tcp-request inspect-delay 50000
tcp-request connection expect-proxy layer4 if { src -f /etc/haproxy/maps/proxy-protocol-827c05ecc804eacf23a63899ca0ffcf6.map }
tcp-request content set-var(sess.sni) req_ssl_sni
tcp-request content set-var(txn.sni_match) req_ssl_sni,map(/etc/haproxy/maps/sni.map)
tcp-request content set-var(txn.sni_match) req_ssl_sni,regsub(^[^.]*,,),map(/etc/haproxy/maps/sni.map)
use_backend %[var(txn.sni_match),field(1,.)]
default_backend ssl
frontend stats
mode http
bind *:1024
bind :::1024 name v6
stats enable
stats uri /
stats refresh 10s
http-request set-var(txn.base) base
http-request use-service prometheus-exporter if { path /metrics }
frontend tcp-55560
mode tcp
bind 0.0.0.0:55560 name v4
bind :::55560 name v6 v4v6
option tcplog
default_backend default-rapid-po-service-55560
backend default-ic-http-service-80
mode http
balance roundrobin
option forwardfor
default-server init-addr last,libc,none
server SRV_1 xxxxxxxxxxx.com:80 check weight 128
backend default-default-ingress-default-backend-port-1
mode http
balance roundrobin
option forwardfor
server SRV_1 10.119.58.166:8080 check weight 128
server SRV_2 127.0.0.1:8080 disabled check weight 128
backend default-rapid-po-service-55560
mode tcp
balance roundrobin
default-server init-addr last,libc,none
server SRV_1 xxxxxxx:55560 check weight 128
backend default-rapid-service-44448
mode tcp
balance roundrobin
default-server init-addr last,libc,none
server SRV_1 xxxxxxxxxx:44448 check weight 128
backend default-sample-http-service-80
mode http
balance roundrobin
option forwardfor
default-server init-addr last,libc,none
server SRV_1 xxxxxxxxxxxx:80 check weight 128
backend default-sample-https-service-443
mode tcp
balance roundrobin
default-server init-addr last,libc,none
server SRV_1 xxxxxxxxxxxx:443 check weight 128
backend ssl
mode tcp
server https 127.0.0.1:443 send-proxy-v2