I think this is the issue in the mode http frontend:

req_ssl_hello_type : integer (deprecated)
this will not work with "bind" lines having the "ssl"

Patrick Hemmer schreef op 14-2-2014 22:34:
You haven't told it to use SSL when talking to the servers listening on :4443. By default haproxy is going to use non-SSL TCP.

Add the `ssl` option to both of your `server` parameters.



*From: *m...@hawknetdesigns.com
*Sent: * 2014-02-14 16:21:02 E
*To: *haproxy@formilux.org
*Subject: *SSL load-balancing across multiple HAProxy instances

Hi all,

I'm working on a load-balanced instance using HAProxy, Varnish, and back-end web servers.

I've successfully tested the new SSL termination feature using dev build 1.5-dev22-1a34d57 2014/02/03, and it works well, however, I want to load-balance the SSL terminal feature across more than 1 HAProxy instance like so:

Main HAProxy instance on, secondary on

Varnish servers on and

Previously, I was terminating SSL on the single active HAProxy (, and speaking HTTP to the Varnish back-ends. This works well.

What I'd like to do is

Request comes in to HAProxy on port 443. Request is then load balanced to the two HAProxy servers in tcp mode to and - maintaining SSL mode until it terminates at port 4443.

An example config (just the relevant sections) would be this:

listen ssl_relay
        mode tcp
        option socket-stats
        #option ssl-hello-chk
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }
        tcp-request content accept if { req_ssl_hello_type 1 }
        default_backend test

frontend incoming
        mode http
        log global
        option forwardfor
bind no-sslv3 ssl crt /certs/haproxy.pem crt /certs/ ciphers RC4-SHA:AES128-SHA:AES256-SHA
        mode http
        log global
        option forwardfor
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }

    backend test
        mode tcp
        balance roundrobin
        # maximum SSL session ID length is 32 bytes.
        stick-table type binary len 32 size 30k expire 30m

        acl clienthello req_ssl_hello_type 1
        acl serverhello rep_ssl_hello_type 2

# use tcp content accepts to detects ssl client and server hello.
        tcp-request inspect-delay 5s
        tcp-request content accept if clienthello

        # no timeout on response inspect delay by default.
        tcp-response content accept if serverhello

# SSL session ID (SSLID) may be present on a client or server hello. # Its length is coded on 1 byte at offset 43 and its value starts
        # at offset 44.

        # Match and learn on request if client hello.
        stick on payload_lv(43,1) if clienthello

        # Learn on response if server hello.
        stick store-response payload_lv(43,1) if serverhello

        server test1
        server test2

http works, and I receive requests on port 443, but this is all I get from the HAProxy log:

00000000:ssl_relay.accept(0006)=0009 from []

It appears that HAProxy is not speaking or passing through SSL to the frontend on port 4443.

curl -i
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

So... what am I missing?


Reply via email to