Hi list
I want to LB an https backend (Layer 4 LB), but I have a lot of NOSRV errors in
log :
Oct 5 15:09:38 localhost haproxy[13839]: 10.250.0.4:43318
[05/Oct/2015:15:09:38.486] fe_pp-portail-https be_pp-xctl-https/<NOSRV> -1/-1/0
0 -- 0/0/0/0/3 0/0
Oct 5 15:09:43 localhost haproxy[13839]: 10.250.0.4:44851
[05/Oct/2015:15:09:43.642] fe_pp-portail-https be_pp-xctl-https/<NOSRV> -1/-1/0
0 -- 0/0/0/0/3 0/0
Oct 5 15:09:48 localhost haproxy[13839]: 10.250.0.4:29479
[05/Oct/2015:15:09:48.761] fe_pp-portail-https be_pp-xctl-https/<NOSRV> -1/-1/0
0 -- 0/0/0/0/3 0/0
Oct 5 15:09:53 localhost haproxy[13839]: 10.250.0.4:53748
[05/Oct/2015:15:09:53.790] fe_pp-portail-https be_pp-xctl-https/<NOSRV> -1/-1/0
0 -- 0/0/0/0/3 0/0
Oct 5 15:09:58 localhost haproxy[13839]: 10.250.0.4:44828
[05/Oct/2015:15:09:58.847] fe_pp-portail-https be_pp-xctl-https/<NOSRV> -1/-1/0
0 -- 0/0/0/0/3 0/0
Oct 5 15:10:03 localhost haproxy[13839]: 10.250.0.4:51021
[05/Oct/2015:15:10:03.937] fe_pp-portail-https be_pp-xctl-https/<NOSRV> -1/-1/0
0 -- 0/0/0/0/3 0/0
Oct 5 15:10:08 localhost haproxy[13839]: 10.250.0.4:21815
[05/Oct/2015:15:10:08.925] fe_pp-portail-https be_pp-xctl-https/<NOSRV> -1/-1/0
0 -- 0/0/0/0/3 0/0
Oct 5 15:10:13 localhost haproxy[13839]: 10.250.0.4:57069
[05/Oct/2015:15:10:13.902] fe_pp-portail-https be_pp-xctl-https/<NOSRV> -1/-1/0
0 -- 0/0/0/0/3 0/0
Oct 5 15:10:18 localhost haproxy[13839]: 10.250.0.4:42239
[05/Oct/2015:15:10:18.873] fe_pp-portail-https be_pp-xctl-https/<NOSRV> -1/-1/0
0 -- 0/0/0/0/3 0/0
Oct 5 15:10:23 localhost haproxy[13839]: 10.250.0.4:65477
[05/Oct/2015:15:10:23.893] fe_pp-portail-https be_pp-xctl-https/<NOSRV> -1/-1/0
0 -- 0/0/0/0/3 0/0
Oct 5 15:10:28 localhost haproxy[13839]: 10.250.0.4:51091
[05/Oct/2015:15:10:28.860] fe_pp-portail-https be_pp-xctl-https/<NOSRV> -1/-1/0
0 -- 0/0/0/0/3 0/0
Here is my configuration (works well with http)
global
log 127.0.0.1 local4
maxconn 65535
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats user haproxy group haproxy
ssl-server-verify none
ssl-default-bind-ciphers
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK
tune.ssl.default-dh-param 2048
defaults
log global
mode tcp
option tcplog
option contstats # Enable continuous traffic Statistics
updates
option redispatch
timeout client 2h #alctl: client inactivity timeout
maxconn 15000
timeout client-fin 1m # When connection are close on one side
only
timeout server 60s
timeout connect 60s
timeout tunnel 2h # Set the maximum inactivity time on the client
and server side for tunnels.
default-server inter 2s fall 3 rise 2 on-marked-down shutdown-sessions
frontend fe_pp-portail-http
bind 10.250.0.48:80
default_backend be_pp-xctl-http
frontend fe_pp-portail-https
bind 10.250.0.48:443
default_backend be_pp-xctl-https
backend be_pp-xctl-http
balance source
server pp-xctl01002-http 172.21.12.8:80
backend be_pp-xctl-https
balance source
server pp-xctl01002-https 172.21.12.8:443
I got the certificate on my server If I use openssl s_client.
Regards,
------------------------
Kevin
