On Thu, Nov 20, 2014 at 9:27 AM, Michael W Walker <miwal...@us.ibm.com> wrote:
> Hi, > > The conf file below is working with our application and I'm assuming I'm > using SSL Termination at the proxy server correctly. But I'm not sure > about the check statement in the backend definition where I define the > servers. If I take out the "check ssl" parameter or use just "check" or > "check port" I get a 502 Bad Gateway error. If I leave in the "check ssl" > but don't include the "ssl-server-verify none" in the global section I get > an error about no CA file specified. I don't think I should have to > specify "check ssl" in the backend definition and it looks like > "ssl-server-verify none" is just canceling it out. But adding those in > seems to be the only way I can get it to work. I googled the 502 Bad > Gateway and no CA file specified errors, but wasn't able to find useful > info. > > Is there something obvious I'm missing here to get it to work without the > "check ssl", or is it ok to leave this in? Thanks, We're currently using > haproxy 1.5.6. > > global > log 127.0.0.1 local0 > tune.ssl.default-dh-param 2048 > maxconn 4000 > ssl-server-verify none > daemon > > defaults > log global > mode http > option httplog > option dontlognull > retries 3 > option redispatch > timeout server 5s > timeout connect 5s > timeout client 5s > stats enable > stats refresh 10s > stats uri /stats > > frontend UCD_Frontend > bind *:8080 > bind *:8444 ssl crt /etc/SSLCerts/jsoc71cert.pem > mode http > reqadd X-Forwarded-Proto:\ https > default_backend UCD_Servers > > backend UCD_Servers > mode http > stick-table type ip size 200k expire 30m > stick on src > default-server inter 1s > option httpclose > option redispatch > retries 15 > balance roundrobin > server jsoc70 9.30.71.70:8445 check ssl > server jsoc80 9.30.71.80:8443 check ssl > > > *Michael Walker* > CLM Certified > miwal...@us.ibm.com > 408-463-5023 > Team Member > IM DevOps Enablement > Need help with DevOps? https://ibm.biz/IMDevOpsCoC > > Hi Michael, in your email, you speak about "check ssl" as a single parameter, while they are 2 different ones. Although, a check-ssl parameter exists. Something not obvious as well, is when does the 502 errors occurs? Is that to health checks or when browsing the application? Baptiste