Score:0

Haproxy help for https requests on custom ports

fr flag

We would like to use haproxy ingress 1.7 on kubernetes to listen on 55560 port for https connection.

Could you please assist in this regard?

Here is my haproxy.cfg file. When trying to access, getting curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection error.

Https on 443 works fine.

Regards, Kalyan

# _version=5
# HAProxy Technologies
# https://www.haproxy.com/
# this file is not meant to be changed directly
# it is under haproxy ingress controller management

global 
  localpeer local
  master-worker
  pidfile /var/run/haproxy.pid
  stats socket /var/run/haproxy-runtime-api.sock expose-fd listeners level admin
  stats timeout 1m
  tune.ssl.default-dh-param 2048
  ssl-default-bind-options no-sslv3 no-tls-tickets no-tlsv10
  ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
  log stdout format raw daemon
  server-state-file global
  server-state-base /var/state/haproxy/

defaults 
  log global
  log-format '%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs "%HM %[var(txn.base)] %HV"'
  option redispatch
  option dontlognull
  option http-keep-alive
  timeout http-request 5s
  timeout connect 5s
  timeout client 50s
  timeout queue 5s
  timeout server 50s
  timeout tunnel 1h
  timeout http-keep-alive 1m
  load-server-state-from-file global

peers localinstance 
  peer local 127.0.0.1:10000

frontend healthz 
  mode http
  bind 0.0.0.0:1042 name v4
  bind :::1042 name v6 v4v6
  monitor-uri /healthz
  option dontlog-normal

frontend http 
  mode http
  bind 0.0.0.0:80 name v4
  bind :::80 name v6
  tcp-request connection expect-proxy layer4 if { src -f /etc/haproxy/maps/proxy-protocol-827c05ecc804eacf23a63899ca0ffcf6.map }
  http-request set-var(txn.base) base
  http-request set-var(txn.path) path
  http-request set-var(txn.host) req.hdr(Host),field(1,:),lower
  http-request set-var(txn.host_match) var(txn.host),map(/etc/haproxy/maps/host.map)
  http-request set-var(txn.host_match) var(txn.host),regsub(^[^.]*,,),map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host_match) -m found }
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map)
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.path_match) -m found }
  use_backend %[var(txn.path_match),field(1,.)]
  default_backend default-default-ingress-default-backend-port-1

frontend https 
  mode http
  bind 127.0.0.1:443 name v4 accept-proxy
  bind ::1:443 name v6 v4v6 accept-proxy
  http-request set-var(txn.base) base
  http-request set-var(txn.path) path
  http-request set-var(txn.host) req.hdr(Host),field(1,:),lower
  http-request set-var(txn.host_match) var(txn.host),map(/etc/haproxy/maps/host.map)
  http-request set-var(txn.host_match) var(txn.host),regsub(^[^.]*,,),map(/etc/haproxy/maps/host.map,'') if !{ var(txn.host_match) -m found }
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map(/etc/haproxy/maps/path-exact.map)
  http-request set-var(txn.path_match) var(txn.host_match),concat(,txn.path,),map_beg(/etc/haproxy/maps/path-prefix.map) if !{ var(txn.path_match) -m found }
  http-request set-header X-Forwarded-Proto https
  use_backend %[var(txn.path_match),field(1,.)]
  default_backend default-default-ingress-default-backend-port-1

frontend ssl 
  mode tcp
  bind 0.0.0.0:443 name v4
  bind :::443 name v6 v4v6
  log-format '%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs haproxy.MAP_SNI: %[var(sess.sni)]'
  tcp-request content reject if !{ req_ssl_hello_type 1 }
  tcp-request inspect-delay 50000
  tcp-request connection expect-proxy layer4 if { src -f /etc/haproxy/maps/proxy-protocol-827c05ecc804eacf23a63899ca0ffcf6.map }
  tcp-request content set-var(sess.sni) req_ssl_sni
  tcp-request content set-var(txn.sni_match) req_ssl_sni,map(/etc/haproxy/maps/sni.map)
  tcp-request content set-var(txn.sni_match) req_ssl_sni,regsub(^[^.]*,,),map(/etc/haproxy/maps/sni.map)
  use_backend %[var(txn.sni_match),field(1,.)]
  default_backend ssl

frontend stats 
  mode http
  bind *:1024
  bind :::1024 name v6
  stats enable
  stats uri /
  stats refresh 10s
  http-request set-var(txn.base) base
  http-request use-service prometheus-exporter if { path /metrics }

frontend tcp-55560 
  mode tcp
  bind 0.0.0.0:55560 name v4
  bind :::55560 name v6 v4v6
  option tcplog
  default_backend default-rapid-po-service-55560

backend default-ic-http-service-80 
  mode http
  balance roundrobin
  option forwardfor
  default-server init-addr last,libc,none
  server SRV_1 xxxxxxxxxxx.com:80 check weight 128

backend default-default-ingress-default-backend-port-1 
  mode http
  balance roundrobin
  option forwardfor
  server SRV_1 10.119.58.166:8080 check weight 128
  server SRV_2 127.0.0.1:8080 disabled check weight 128

backend default-rapid-po-service-55560 
  mode tcp
  balance roundrobin
  default-server init-addr last,libc,none
  server SRV_1 xxxxxxx:55560 check weight 128

backend default-rapid-service-44448 
  mode tcp
  balance roundrobin
  default-server init-addr last,libc,none
  server SRV_1 xxxxxxxxxx:44448 check weight 128

backend default-sample-http-service-80 
  mode http
  balance roundrobin
  option forwardfor
  default-server init-addr last,libc,none
  server SRV_1 xxxxxxxxxxxx:80 check weight 128

backend default-sample-https-service-443 
  mode tcp
  balance roundrobin
  default-server init-addr last,libc,none
  server SRV_1 xxxxxxxxxxxx:443 check weight 128

backend ssl 
  mode tcp
  server https 127.0.0.1:443 send-proxy-v2
in flag
`Here is my haproxy.cfg file` you seem to forgot this.
fr flag
Thank you @GeraldSchneider, I have added, can you please help me in this case
in flag
You have configured haproxy to pass the traffic through to the backend without SSL termination. The problem is in your backend service, not haproxy.
fr flag
@GeraldSchneider, Thank you so much for your reply. Could you please suggest how to do SSL termination.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.