Project

General

Profile

Actions
Copy link

Support #4842

closed

haproxy proxy with SSL

Added by Gary Brace over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
3.3.6
Start date:
04/04/2016
Due date:
% Done:

0%

Estimated time:

Description

Has anyone been able to setup haproxy as a reverse-proxy with bind to port 443 ?

I need to run a whttpd server as well as node.js both on the same ip address running with ssl.

I setup my config acl to use "url_sub wtd=wt1" and in the haproxy log it shows wt1 as UP -

yet when I navigate to https://mydomain.com I receive the 503 service not found error.

(haproxy properly shows my ssl certificate at my domain url)

Here is my haproxy.cfg:

global

log /dev/log local0

log /dev/log local1 notice

chroot /var/lib/haproxy

stats socket /run/haproxy/admin.sock mode 660 level admin

stats timeout 30s

user haproxy

group haproxy

daemon

# Default SSL material locations

ca-base /etc/ssl/certs

crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.

ssl-default-bind-ciphers TLSv1+HIGH:[](SSLv2:)aNULL:[](eNULL:)3DES:@STRENGTH

ssl-default-bind-options no-sslv3

defaults

log global

mode http

option httplog

option dontlognull

timeout connect 5000

timeout client 50000

timeout server 50000

option http-server-close

option http-pretend-keepalive

option forwardfor

option originalto

retries 3

option redispatch

errorfile 400 /etc/haproxy/errors/400.http

errorfile 403 /etc/haproxy/errors/403.http

errorfile 408 /etc/haproxy/errors/408.http

errorfile 500 /etc/haproxy/errors/500.http

errorfile 502 /etc/haproxy/errors/502.http

errorfile 503 /etc/haproxy/errors/503.http

errorfile 504 /etc/haproxy/errors/504.http

frontend public

bind *:443 ssl crt /etc/ssl/private/mydomain_com.pem

acl wt1 url_sub wtd=wt1

use_backend wt if wt1

# Everything else to Node.js

default_backend node

backend wt

server wt1 127.0.0.1:8585 check

backend node

server node 127.0.0.1:6503 check

I startup my wt server with:

sudo ./mywebabb.wt ---session-id-prefix=wt1 ---docroot . ---https-address 127.0.0.1 ---https-port 8585 ---ssl-certificate /.ssl/mydomain_com.pem ---ssl-private-key/.ssl/mydomain_com.key ---ssl-tmp-dh ~/.ssl/dh2048.pem ---ssl-cipherlist 'TLSv1+HIGH:[](SSLv2:)aNULL:[](eNULL:)3DES:@STRENGTH'

other: my server runs on Amazon (aws) ecs with debian jessie

Actions
Copy link
 #1

Updated by Wim Dumon over 8 years ago

  • Status changed from New to Resolved

To set up forwarding with haproxy in this way, haproxy will terminate the ssl connection and will forward plain http to a wt server listening on localhost.

So start wt as a normal, non-ssl server:

./mywebabb.wt --docroot somedocroot --deploy-path /wt --http-address 127.0.0.1 --http-port 8585

Note that I added deploy-path to the parameter list: it's generally a bad idea to have a reverse proxy that adds/removes path components.

I recommend forwarding based on path, so you will not need the session id prefix (which is useful if you do load balancing):

acl is_wt path_beg /wt/
use_backend wt if is_wt

Add this to your frontend configuration, to let wt know how it should tweak its urls since they have been modified through reverse proxying:

http-request set-header X-Forwarded-Proto https if { ssl_fc }

http-request set-header X-Forwarded-Port %[dst_port]

option forwardfor

option originalto

Hope this helps!

Wim.

Actions
Copy link
 #2

Updated by Koen Deforche over 8 years ago

  • Status changed from Resolved to Closed
  • Target version set to 3.3.6
Actions
Copy link

Also available in: Atom PDF