HAproxy / Reverse proxy Debian

Thu, 12 Jan 2017 00:24:39 -0800 

Hi,

Hi,

Seems to have a little problem with my SSL config:

...
...

     # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  
https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
       ssl-default-bind-options no-sslv3
       ssl-default-bind-ciphers 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

       ssl-default-server-options no-sslv3
       ssl-default-server-ciphers 
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS

defaults
        log     global
        mode    http
        option forwardfor
        option http-server-close
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
        stats enable
        stats uri /stats
        stats realm Haproxy\ Statistics
        stats auth toto:lolo29

frontend email-https
        bind *:888 ssl crt /etc/ssl/certs/cert.crt
        reqadd X-Forwarded-Proto:\ https
        default_backend https-email

frontend www-https
        bind *:443 ssl crt /etc/ssl/certs/cert.crt
        reqadd X-Forwarded-Proto:\ https
        default_backend https-www

backend https-email
        redirect scheme https if !{ ssl_fc }
        server hostname ip_email_server:888

backend https-www
        redirect scheme https if !{ ssl_fc }
        server hostname ip_web_server:443

The main plan is to forward all HTTPS (port:443) requests to my web server 
and all HTTPS(port:888) to my email server.

Do you see any mistake in my config ?

Logs from HAproxy:

haproxy[15953]:  [ALERT] 011/101209 (15953) : Proxy 'email-https': no SSL 
certificate specified for bind '*:888' at [/etc/haproxy/haproxy.cfg:52] (use 
'crt').
Jan 12 10:12:09 proxy haproxy[15953]: [ALERT] 011/101209 (15953) : Proxy 
'www-https': no SSL certificate specified for bind '*:443' at 
[/etc/haproxy/haproxy.cfg:57] (use 'crt').
Jan 12 10:12:09 proxy haproxy[15953]: [ALERT] 011/101209 (15953) : Fatal errors 
found in configuration.

Thx

  

-- 
Cordialement,
 Thierry                          e-mail : lenai...@maelenn.org  
 PGP Key: 0xB7E3B9CD

Reply via email to