> This email server do have ssl/TLS activated.
As I expected. Apparently that iRedMail server uses nginx.
Right now, if you talk to haproxy, it decrypts the traffic and then sends it on
to nginx in plain text. However, on that port nginx expects encrypted traffic —
hence your 400 error message.
If you want to configure TLS on the mail server / web server itself, there is
no need to configure haproxy for TLS at all.
Switch it to TCP mode and remove the TLS configuration. That way it will just
hand the still encrypted traffic over to nginx.
--
Daniel Schneller
Principal Cloud Engineer
CenterDevice GmbH | Hochstraße 11
| 42697 Solingen
tel: +49 1754155711 | Deutschland
daniel.schnel...@centerdevice.de | www.centerdevice.de
Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
Michael Rosbach, Handelsregister-Nr.: HRB 18655,
HR-Gericht: Bonn, USt-IdNr.: DE-815299431
> On 12. Jan. 2017, at 14:30, Thierry <lenai...@maelenn.org> wrote:
>
> Bonjour Daniel,
>
> I am not sure to understand.
> I am using iRedMail as email server.
> This email server do have ssl/TLS activated.
>
> ******
>
> listen 888 http2;
> ssl on;
> ssl_certificate /etc/ssl/certs/cert.chained.crt;
> ssl_certificate_key /etc/ssl/private/cert.key;
> ssl_trusted_certificate /etc/ssl/certs/GandiStandardSSLCA2.pem;
> ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
> include /etc/nginx/sslciphers.conf;
> add_header Strict-Transport-Security "max-age=15768000";
> ssl_prefer_server_ciphers on;
> ssl_dhparam /etc/ssl/dhparams.pem;
> ssl_stapling on;
> ssl_stapling_verify on;
> resolver 8.8.8.8 8.8.4.4 valid=300s;
> resolver_timeout 10s;
>
> *****
>
> My email client do work well with these certificates and if I change the NAT
> of my router, I can reach the email web interface (Sogo) through HTTPS
> request.
> Why is not possible to pass HTTPS trafic from the HAproxy to my email server
> ? Will be the same pb with my web server ..
>
> Thx
>
>
> Le jeudi 12 janvier 2017 à 15:16:57, vous écriviez :
>
>
> Sounds as if you have nginx set up for TLS termination, too.
> This does not make sense, because haproxy will already have decrypted the
> traffic.
> Make sure nginx does not expect https on what in your config would be
> ip_email_server:888.
>
>
>
> --
> Daniel Schneller
> Principal Cloud Engineer
>
> CenterDevice GmbH | Hochstraße 11
> | 42697 Solingen
> tel: +49 1754155711 | Deutschland
> daniel.schnel...@centerdevice.de <mailto:daniel.schnel...@centerdevice.de>
> | www.centerdevice.de <http://www.centerdevice.de/>
>
> Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
> Michael Rosbach, Handelsregister-Nr.: HRB 18655,
> HR-Gericht: Bonn, USt-IdNr.: DE-815299431
>
>
>
> On 12. Jan. 2017, at 14:14, Thierry <lenai...@maelenn.org
> <mailto:lenai...@maelenn.org>> wrote:
>
> Re: HAproxy / Reverse proxy Debian
> Bonjour Daniel,
>
> I have resolved my problem, HAproxy do start now (ssl ok).
> But when trying to reach my email server, I now do have a:
>
> 400 Bad gateway - The plain HTTP request was sent to HTTPS port - Nginx
>
> It should not be the case because 'reqadd x-forwarded-proto:\ https' suppose
> to correct this ?? And with 'redirect scheme https if !{ ssl_fc }' it should
> be 100% full HTTPS.
>
> frontend email-https
> bind *:444 ssl crt /etc/ssl/private/full_certs.crt
> reqadd X-Forwarded-Proto:\ https
> default_backend https-email
>
> backend https-email
> redirect scheme https if !{ ssl_fc }
> server email_hostname ip_email_server:888
>
> Thx
>
>
>
>
>
> Le jeudi 12 janvier 2017 à 14:44:19, vous écriviez :
>
>
> Re-adding the list.
>
> And:
>
>
> Do I have to "cat file.key file.crt file.pem > certi.chained.crt" ??
>
> Yes. Though I am not sure what file.crt and file.pem are :)
>
>
>
>
>
> Cheers,
> Daniel
>
>
> --
> Daniel Schneller
> Principal Cloud Engineer
>
> CenterDevice GmbH | Hochstraße 11
> | 42697 Solingen
> tel: +49 1754155711 | Deutschland
> daniel.schnel...@centerdevice.de <mailto:daniel.schnel...@centerdevice.de>
> | www.centerdevice.de <http://www.centerdevice.de/>
>
> Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina,
> Michael Rosbach, Handelsregister-Nr.: HRB 18655,
> HR-Gericht: Bonn, USt-IdNr.: DE-815299431
>
>
>
> On 12. Jan. 2017, at 13:27, Thierry <lenai...@maelenn.org
> <mailto:lenai...@maelenn.org>> wrote:
>
> Hi,
>
> You are right, I am using the v1.7.1-1 on Debian.
> I do have paid ssl certificate (.key, .crt, .pem). They all are in non
> world-readable folder.
> Do I have to "cat file.key file.crt file.pem > certi.chained.crt" ??
>
> Thx
>
>
> Thierry,
>
>
>
> always helps to know the haproxy version you use.
> As for your error message, do you have private key, your site’s
> certificate and all necessary chain certificates in the crt files you
> reference in your config?
>
>
>
> IIRC they need to be in the order
>
>
>
> 1. key
> 2. site cert (“leaf”)
> 3. intermediates
>
>
>
> Make sure to have these files not world-readable as they contain secret
> crypto material.
>
>
>
> HTH,
> Daniel
>
>
>
>
>
>
>
> --
> Cordialement,
> Thierry e-mail : lenai...@maelenn.org
> <mailto:lenai...@maelenn.org>
>
>
> --
> Cordialement,
> Thierry e-mail : lenai...@maelenn.org
> <mailto:lenai...@maelenn.org>
