Re: HAProxy Stats and SSL Problems
Matthew Cox schreef op 15-6-2015 om 20:05:
Hello,
I've been trying to diagnose an odd issue with HAProxy (1.5.x)
statistics and SSL. I'm seeing clients having problems with the SSL
negotiation. When digging with openssl, there seems to be a clear text
http 1.x response which causes the negotiation to fail:
$ openssl s_client -debug -connect lb.com:44300
CONNECTED(0003)
write to 0x7f96a3504c70 [0x7f96a3804200] (130 bytes = 130 (0x82))
- 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00 ..W... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5
0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00 ..3..2../...
0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00
0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11 .@..
0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00
0060 - 00 ff 79 2a 0a d7 d8 37-c8 50 b6 f7 c3 8e ce 96 ..y*...7.P..
0070 - cf 2b d9 b8 92 c5 6f 1f-74 7f c0 d1 22 46 71 7a .+o.t...Fqz
0080 - e2 b4 ..
read from 0x7f96a3504c70 [0x7f96a3809800] (7 bytes = 7 (0x7))
- 48 54 54 50 2f 31 2e HTTP/1.
1371:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/s23_clnt.c:618:
$ telnet lb.com 44300
Trying X.X.X.X...
Connected to X.X.X.X.
Escape character is '^]'.
GET /
HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Connection: close
Content-Type: text/html
htmlbodyh1403 Forbidden/h1
Request forbidden by administrative rules.
/body/html
The proxy log doesn't have anything that helps me understand what's
going on:
Jun 15 16:47:44 lb.com haproxy[430]: X.X.X.X:55877
[15/Jun/2015:16:47:44.967] stats stats/NOSRV -1/-1/-1/-1/0 400 187 -
- PR-- 0/0/0/0/3 0/0 BADREQ
The pertinent configuration sections are:
global
log 127.0.0.1 local1 info
maxconn 10240
chroot /usr/share/haproxy
user haproxy
group haproxy
daemon
# local stats sockets for read access - change operator to
admin for r/w
stats socket /var/run/haproxy/haproxy.sock mode 0600 level operator
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
# Set global SSL bind options
ssl-default-bind-options no-sslv3 no-tls-tickets
tune.ssl.default-dh-param 2048
ssl-server-verify none
defaults
log global
mode http
optionhttplog
optiondontlognull
retries 3
optionredispatch
maxconn 10240
# Mime types from here:
#
http://blogs.alfresco.com/wp/developer/2013/11/13/haproxy-for-alfresco/
# and here
# http://serverfault.com/questions/575744/nginx-mime-types-and-gzip
compression algo gzip
compression type text/plain text/html text/html;charset=utf-8
text/css text/javascript application/json
listen stats :44300
Remove the port like:
listen stats
bind *:44300 ssl crt /etc/ssl/private/the.pem.withkey.pem
mode http
http-request deny if !{ ssl_fc }
stats enable
stats refresh 5s
stats uri /stats
stats realm proxies
stats show-node
stats show-legends
option httplog
option contstats
acl auth_ok_stats http_auth(users_stats)
http-request auth if !auth_ok_stats
Does anyone have any insight?
Thank you in advance,
Matt
Re: HAProxy Stats and SSL Problems
As stated by Piba-nl, your error is here: listen stats :44300 bind *:44300 ssl crt /etc/ssl/private/the.pem.withkey.pem When you declare your listen section like this, it is equivalent to: listen stats bind :44300 bind *:44300 ssl crt /etc/ssl/private/the.pem.withkey.pem Which means that 2 listening sockets will get the traffic, one deciphering the traffic, and the other one not... Simply remove the ':44300' from your listen section definition. Baptiste
