Matthew Cox schreef op 15-6-2015 om 20:05:
Hello,

I've been trying to diagnose an odd issue with HAProxy (1.5.x) statistics and SSL. I'm seeing clients having problems with the SSL negotiation. When digging with openssl, there seems to be a clear text http 1.x response which causes the negotiation to fail:

$ openssl s_client -debug -connect lb.com:44300
CONNECTED(00000003)
write to 0x7f96a3504c70 [0x7f96a3804200] (130 bytes => 130 (0x82))
0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00   ......W... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00   ..3..2../.......
0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00   ................
0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11   .........@......
0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00   ................
0060 - 00 ff 79 2a 0a d7 d8 37-c8 50 b6 f7 c3 8e ce 96   ..y*...7.P......
0070 - cf 2b d9 b8 92 c5 6f 1f-74 7f c0 d1 22 46 71 7a   .+....o.t..."Fqz
0080 - e2 b4                                             ..
read from 0x7f96a3504c70 [0x7f96a3809800] (7 bytes => 7 (0x7))
0000 - 48 54 54 50 2f 31 2e                              HTTP/1.
1371:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/s23_clnt.c:618:

$ telnet lb.com 44300
Trying X.X.X.X...
Connected to X.X.X.X.
Escape character is '^]'.
GET /
HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>


The proxy log doesn't have anything that helps me understand what's going on:


Jun 15 16:47:44 lb.com haproxy[430]: X.X.X.X:55877 [15/Jun/2015:16:47:44.967] stats stats/<NOSRV> -1/-1/-1/-1/0 400 187 - - PR-- 0/0/0/0/3 0/0 "<BADREQ>"


The pertinent configuration sections are:


global
    log 127.0.0.1 local1 info
    maxconn 10240
    chroot /usr/share/haproxy
    user haproxy
    group haproxy
    daemon

# local stats sockets for read access - change "operator" to "admin" for r/w
    stats socket /var/run/haproxy/haproxy.sock mode 0600 level operator

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
    # Set global SSL bind options
ssl-default-bind-options no-sslv3 no-tls-tickets

tune.ssl.default-dh-param 2048

    ssl-server-verify none

defaults
    log       global
    mode      http
    option    httplog
    option    dontlognull
    retries   3
    option    redispatch
    maxconn   10240

    # Mime types from here:
# http://blogs.alfresco.com/wp/developer/2013/11/13/haproxy-for-alfresco/
    # and here
    # http://serverfault.com/questions/575744/nginx-mime-types-and-gzip
    compression algo gzip
compression type text/plain text/html text/html;charset=utf-8 text/css text/javascript application/json

listen stats :44300
Remove the port like:
listen stats
bind *:44300 ssl crt /etc/ssl/private/the.pem.withkey.pem
    mode http
    http-request deny if !{ ssl_fc }
    stats enable
    stats refresh 5s
    stats uri /stats
    stats realm "proxies"
    stats show-node
    stats show-legends
    option httplog
    option contstats
    acl auth_ok_stats http_auth(users_stats)
    http-request auth if !auth_ok_stats


Does anyone have any insight?

Thank you in advance,
Matt


Reply via email to