Hi,
> #=== HAProxy 1 ===== > > frontend h1 > mode tcp > bind 10.10.10.241:443<http://10.10.10.241:443> name example ssl > crt /etc/haproxy/keys/haproxy1.pem verify required ca-file > /etc/haproxy/keys/rootCA.pem > default_backend b1 > > backend b1 > server haproxy2 10.10.10.242:443<http://10.10.10.242:443> ssl > verify required ca-file /etc/haproxy/keys/rootCA.pem send-proxy > > > #=== HAProxy 2 ===== > > frontend h2 > mode tcp > bind 10.10.10.242:443<http://10.10.10.242:443> name example1 > ssl crt /etc/haproxy/keys/haproxy2.pem verify required ca-file > /etc/haproxy/keys/rootCA.pem accept-proxy > default_backend b > > backend b > server server1 10.10.10.243:10001 > send-proxy > > > After experimenting a little more, I found it does work if I turn off > mutual authentication between the servers (i.e. change bind > 172.18.154.242:443<http://172.18.154.242:443> to verify none). You mean bind 10.10.10.242:443 in your example, right? I think your SSL configuration is simply wrong, and accept/send proxy doesn't matter at all. You are requiring a certificate based authentication from the *client* on HAproxy 2 but did not specify any certificate on HAProxy 1 for this matter. The verify keyword on the bind line means that the *client provided certificate* is validated, while on the server line it means that the server provided certificate is verified. Usually you only want the latter, if you also want the former than configure the client (HAProxy 1) with a proper certificate for this. Regards, Lukas
