B4J Question HAProxy for WebApps with SSL - Not a total success until now

[hatzisn]

Good evening to all B4Xers,

I am completely lost with HAProxy. I have managed to support an ssl site if the backend is all HTTP local containers (with no ssl application in them) but I have not managed yet to do something like the following. Has someone succeeded in doing this? (All SSLs in the backend are in different servers - whether physical or VPS and the HTTP single sites are in the local server one as a container and the other as a physical application). Can somebody provide me with some information or a link on doing this (?):

 

[EnriqueGonzalez]

Usually proxies verifies SSL on the server if such provides them. the thing to do is to ignore it.

HAProxy Backend SSL verify none

HAProxy backend SSL verify none allows unverified SSL connection with backend server learn more about the feature...

bobcares.com

 

[tchart]

I use Node Balancer on Linode (https://www.linode.com/products/nodebalancers/) to achieve HA with one of my high throughput servers.

It can do pass through of SSL so the the load balancer doesnt require SSL.

 

[hatzisn]

Thank you both for your answer.

No matter how long I searched the internet there is not a simple answer if even this is possible. Everyone says something like:

backend mybackendname
server my1stServer xxx.xxx.xxx.xxx:443 ssl verify none

I do not undestand though if let's say my frontend answers at https://mysite.com, if I do the above and the server at xxx.xxx.xxx.xxx has also a reverse proxy how would he be able to divert the request to the right container if it does so. I though that I have to have different backends and rewrite host header when I redirect to each one of them in roundrobin but then I have put my mind together and realized that roundrobin is already in the backend, I searched though the idea of resetting the Host header and I came in to this answer in serverfault.com. I am too exhausted thought to try it now... Maybe later.

Configure HAProxy to include host headers for different backends

I am exploring the use of HAProxy as a balancer in front of a set of web apis that run on IIS. node1.myapp.mycompany.com node2.myapp.mycomapny.com We are currently using Host Headers to correctly

serverfault.com

Maybe the answer is this but I cannot check it now:

backend mybackendname
http-send-name-header Host
server  srv1-ldblnc.mysite.com  srv1-ldblnc.mysite.com:443  ssl  verify  none

 

[hatzisn]

Nope... This cfg file gives "503 Service Unavailable". This is the configuration file:

global
        maxconn     4000
        daemon

defaults
        mode    http
        default-server init-addr last,libc,none
        option  http-keep-alive
        option  redispatch
        retries 3
        timeout connect 10s
        timeout client  1m
        timeout server  1m
        option forwardfor ##      except 127.0.0.0/8

resolvers docker
        parse-resolv-conf

frontend stats
  bind *:8500
  stats enable
  stats uri /
  stats refresh 10s

frontend ft
        bind 0.0.0.0:443 ssl crt /usr/local/etc/haproxy/ha_trial.pem alpn h2,http/1.1
        default_backend bt2

backend bt2
        ## balance roundrobin
        http-send-name-header Host
        server myback.mysite.com myback.mysite.com:443 ssl verify none

 

[hatzisn]

Latest info:

1) I run the HAProxy in a container with an external cfg file.
2) What I have mentioned in previous post is wrong. If you deploy three instances of the image "jmalloc/echo-server:latest" and you add them in the queue of serving servers (containers) it works with roundrobin and puts the server myback.mysite.com as down for maintenance. The image "jmalloc/echo-server:latest" is a webapp that displays to you all the headers that were sent to it. It displays also the host and the new name is written correctly to the diverted request.
3) I tried to set the nameservers in haproxy.cfg. No luck.
4) I executed a shell inside the container and with wget I can connect to the outside world (curl does not exist).

Any thoughts, anyone, cause I am completely dizzy...

 

[hatzisn]

Latest info:

1) I run the HAProxy in a container with an external cfg file.
2) What I have mentioned in previous post is wrong. If you deploy three instances of the image "jmalloc/echo-server:latest" and you add them in the queue of serving servers (containers) it works with roundrobin and puts the server myback.mysite.com as down for maintenance. The image "jmalloc/echo-server:latest" is a webapp that displays to you all the headers that were sent to it. It displays also the host and the new name is written correctly to the diverted request.
3) I tried to set the nameservers in haproxy.cfg. No luck.
4) I executed a shell inside the container and with wget I can connect to the outside world (curl does not exist).

Any thoughts, anyone, cause I am completely dizzy...

Latest news...
Maybe I am close to the solution. Cloudflare has moved to QUIC protocol and ha proxy does not natively support it in the container. I keep researching this.

 

[hatzisn]

It is exactly this the case. If I use an other domain that is not QUIC enabled in the encryption protocol of https everything works as a charm. I am also curious why on the earth does it handle the frontend and the backend differently??? In front end it understands QUIC (? - or it is QUIC between you and cloudflare and cloudflare to server is different encryption ?) but connecting from the backend is not possible?

So in a nutshell:

1) HAProxy docker image is not QUIC enabled - At least the one I have got
2) Cloudflare has activated QUIC by default as a communication protocol for their stuff and you are not allowed to change it.
3) Cooperating of these two is way off balance and it throws to your face an "SSL Handshake Failure"
4) In order to fix it use a provider that does support not latest technology communication protocols - ok for now this is mitigation only and no solution.
5) HAProxy site provides a way to recompile HAProxy from github with QUIC support and I will research it later...