Re: Server definitions in backend require "check ssl" parameter in order for haproxy to work

Thu, 20 Nov 2014 02:40:35 -0800 

On Thu, Nov 20, 2014 at 9:27 AM, Michael W Walker <miwal...@us.ibm.com>
wrote:

> Hi,
>
> The conf file below is working with our application and I'm assuming I'm
> using SSL Termination at the proxy server correctly.  But I'm not sure
> about the check statement in the backend definition where I define the
> servers.  If I take out the "check ssl" parameter or use just "check" or
> "check port" I get a 502 Bad Gateway error. If I leave in the "check ssl"
> but don't include the "ssl-server-verify none" in the global section I get
> an error about no CA file specified.  I don't think I should have to
> specify "check ssl" in the backend definition and it looks like
> "ssl-server-verify none" is just canceling it out.  But adding those in
> seems to be the only way I can get it to work.  I googled the 502 Bad
> Gateway and no CA file specified errors, but wasn't able to find useful
> info.
>
> Is there something obvious I'm missing here to get it to work without the
> "check ssl", or is it ok to leave this in?  Thanks,   We're currently using
> haproxy 1.5.6.
>
> global
>   log 127.0.0.1 local0
>   tune.ssl.default-dh-param 2048
>   maxconn 4000
>   ssl-server-verify none
>   daemon
>
> defaults
>   log     global
>   mode    http
>   option  httplog
>   option  dontlognull
>   retries 3
>   option  redispatch
>   timeout server 5s
>   timeout connect 5s
>   timeout client 5s
>   stats enable
>   stats refresh 10s
>   stats uri /stats
>
> frontend UCD_Frontend
>   bind *:8080
>   bind *:8444 ssl crt /etc/SSLCerts/jsoc71cert.pem
>   mode http
>   reqadd X-Forwarded-Proto:\ https
>   default_backend UCD_Servers
>
> backend UCD_Servers
>   mode http
>   stick-table type ip size 200k expire 30m
>    stick on src
>    default-server inter 1s
>   option httpclose
>   option redispatch
>   retries 15
>   balance roundrobin
>   server jsoc70 9.30.71.70:8445 check ssl
>   server jsoc80 9.30.71.80:8443 check ssl
>
>
>  *Michael Walker*
> CLM Certified
> miwal...@us.ibm.com
> 408-463-5023
> Team Member
> IM DevOps Enablement
> Need help with DevOps?  https://ibm.biz/IMDevOpsCoC
>
>
Hi Michael,

in your email, you speak about "check ssl" as a single parameter, while
they are 2 different ones.
Although, a check-ssl parameter exists.
Something not obvious as well, is when does the 502 errors occurs? Is that
to health checks or when browsing the application?

Baptiste

Reply via email to