Hi, It was the missing 'ssl' from the server line, so thank you very much!
I've made all of the other changes suggested too and have almost recovered from the embarrassment over the password :-) Thanks again, HAProxy is totally awesome. Steven On 18 December 2012 07:30, Willy Tarreau <[email protected]> wrote: > Hi Steven, > > First, a few comments below : > > > option httplog > > option dontlognull > > option forwardfor > > option http-server-close > > option httpclose > > You can remove httpclose above, there is already http-server-close, > and having the two results in close for all connections. > > > stats enable > > > > stats auth admin:XXXXXXXX > > You can use encrypted passwords above instead of accidentely sharing > them with the world :-) (I have replaced it with XXXXX but that's too > late). Also it generally isn't a good idea to put the stats in the > defaults section because it's inherited by all instances. > > > When I connect to the oauth url I get the following in a browser: > > > > Dec 17 16:26:23 happywebn1 haproxy[22465]: > > 10.116.49.52:17384[17/Dec/2012:16:26:21.893] https~ > > layer7/qa-layer7.alfresco.pri > > 1328/0/1/-1/1330 502 545 - - PH-- 12/11/0/0/0 0/0 "GET > > > /auth/oauth/versions/2/authorize?client_id=32527f06-1acd-488c-a844-036629e91127&redirect_uri=http%3A%2F%2Flocalhost%3A8181%2Foauthsample%2Fmycallback.html&scope=public_api&response_type=code > > HTTP/1.1" > > > > > > From running haproxy in foreground debug mode I can see that the request > > gets sent OK to the layer7 server. > > Yes, the "H" in "PH" flags means that the request was sent to the server > and > that haproxy is waiting for the server to respond. The "P" means the > response > was rejected by haproxy, most likely because it does not conform to the > HTTP > standard. > > You should set up the stats socket in the global section and connect to it > using socat, it's very likely that you'll find the problem there : > > $ echo show errors | socat /var/run/haproxy.stat - > > > The layer7 server wasn't setup by me and was configured with a self > signed > > cert for some reason. I suspect this may be causing the issues. For > example > > when I do a curl I have to specify -insecure in order for the GET request > > to work. > > No, this is unrelated because haproxy by default does not check server > certs, > it only does so when there is the "ca-file" keyword on the line with a path > to the CA used to validate the server cert. > > However there is something that I think is a good reason : you seem to mean > that the server presents a certificate but you connect to it in HTTP, not > HTTPS : > > backend layer7 > server qa-layer7.company.pri qa-layer7.company.pri:8443 check inter > 5000 > > This I think that the server returns something in response to the HTTP > request that is more of an SSL handshake that is blocked by haproxy. > > You should add "ssl" at the end of the line to tell it to re-encrypt > traffic > when going to this server. > > > Is there a way to provide haproxy with a cert to use for the backend? > > yes with "ca-file". > > > Or, a way to tell it to ignore SSL errors? > > it is the default case. > > Regards, > Willy > >
