Hi, (comments inline)
On 10/05/2015 03:23 PM, Kevin COUSIN wrote: > Hi list > > I want to LB an https backend (Layer 4 LB), but I have a lot of NOSRV errors > in log : > > Oct 5 15:09:38 localhost haproxy[13839]: 10.250.0.4:43318 > [05/Oct/2015:15:09:38.486] fe_pp-portail-https be_pp-xctl-https/<NOSRV> > -1/-1/0 0 -- 0/0/0/0/3 0/0 > Oct 5 15:09:43 localhost haproxy[13839]: 10.250.0.4:44851 > [05/Oct/2015:15:09:43.642] fe_pp-portail-https be_pp-xctl-https/<NOSRV> > -1/-1/0 0 -- 0/0/0/0/3 0/0 > Oct 5 15:09:48 localhost haproxy[13839]: 10.250.0.4:29479 > [05/Oct/2015:15:09:48.761] fe_pp-portail-https be_pp-xctl-https/<NOSRV> > -1/-1/0 0 -- 0/0/0/0/3 0/0 > Oct 5 15:09:53 localhost haproxy[13839]: 10.250.0.4:53748 > [05/Oct/2015:15:09:53.790] fe_pp-portail-https be_pp-xctl-https/<NOSRV> > -1/-1/0 0 -- 0/0/0/0/3 0/0 > Oct 5 15:09:58 localhost haproxy[13839]: 10.250.0.4:44828 > [05/Oct/2015:15:09:58.847] fe_pp-portail-https be_pp-xctl-https/<NOSRV> > -1/-1/0 0 -- 0/0/0/0/3 0/0 > Oct 5 15:10:03 localhost haproxy[13839]: 10.250.0.4:51021 > [05/Oct/2015:15:10:03.937] fe_pp-portail-https be_pp-xctl-https/<NOSRV> > -1/-1/0 0 -- 0/0/0/0/3 0/0 > Oct 5 15:10:08 localhost haproxy[13839]: 10.250.0.4:21815 > [05/Oct/2015:15:10:08.925] fe_pp-portail-https be_pp-xctl-https/<NOSRV> > -1/-1/0 0 -- 0/0/0/0/3 0/0 > Oct 5 15:10:13 localhost haproxy[13839]: 10.250.0.4:57069 > [05/Oct/2015:15:10:13.902] fe_pp-portail-https be_pp-xctl-https/<NOSRV> > -1/-1/0 0 -- 0/0/0/0/3 0/0 > Oct 5 15:10:18 localhost haproxy[13839]: 10.250.0.4:42239 > [05/Oct/2015:15:10:18.873] fe_pp-portail-https be_pp-xctl-https/<NOSRV> > -1/-1/0 0 -- 0/0/0/0/3 0/0 > Oct 5 15:10:23 localhost haproxy[13839]: 10.250.0.4:65477 > [05/Oct/2015:15:10:23.893] fe_pp-portail-https be_pp-xctl-https/<NOSRV> > -1/-1/0 0 -- 0/0/0/0/3 0/0 > Oct 5 15:10:28 localhost haproxy[13839]: 10.250.0.4:51091 > [05/Oct/2015:15:10:28.860] fe_pp-portail-https be_pp-xctl-https/<NOSRV> > -1/-1/0 0 -- 0/0/0/0/3 0/0 This usually means that there is no server in the backend because they were either misconfigured or taken out of the rotation, e.g. due to failed health checks. > Here is my configuration (works well with http) > > global > log 127.0.0.1 local4 > maxconn 65535 > user haproxy > group haproxy > daemon > stats socket /var/lib/haproxy/stats user haproxy group haproxy > ssl-server-verify none > ssl-default-bind-ciphers > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK > tune.ssl.default-dh-param 2048 Not sure what exactly you want to achieve here. If you want to loadbalance on TCP level, HAProxy doesn't need to know anything about any TLS parameters. > defaults > log global > mode tcp > option tcplog > option contstats # Enable continuous traffic Statistics > updates > option redispatch > timeout client 2h #alctl: client inactivity timeout > maxconn 15000 > timeout client-fin 1m # When connection are close on one > side only > timeout server 60s > timeout connect 60s > timeout tunnel 2h # Set the maximum inactivity time on the > client and server side for tunnels. > default-server inter 2s fall 3 rise 2 on-marked-down > shutdown-sessions > > > frontend fe_pp-portail-http > bind 10.250.0.48:80 > default_backend be_pp-xctl-http > > frontend fe_pp-portail-https > bind 10.250.0.48:443 > default_backend be_pp-xctl-https > > backend be_pp-xctl-http > balance source > server pp-xctl01002-http 172.21.12.8:80 > > backend be_pp-xctl-https > balance source > server pp-xctl01002-https 172.21.12.8:443 > > I got the certificate on my server If I use openssl s_client. Can you elaborate on this? Are you connecting with s_client to haproxy or to your server? Can you confirm that you want you web server to do the actual TLS handshake and not HAProxy? Conrad -- Conrad Hoffmann Traffic Engineer SoundCloud Ltd. | Rheinsberger Str. 76/77, 10115 Berlin, Germany Managing Director: Alexander Ljung | Incorporated in England & Wales with Company No. 6343600 | Local Branch Office | AG Charlottenburg | HRB 110657B