Reputation: 4387
haproxy with SSL and Notls
I have setup the new version of haproxy but I need to disable TLS and the "notlsv1" keyword doesn't works. In my actual configuration, I use stud to manage https sessions with these parameters:
-B 1000 -n 8 -b 127.0.0.1 8080 -f *,443 --ssl -c ALL --write-proxy
And I'm trying to replace him by the new haproxy version.
My configuration file:
global
log 127.0.0.1 local0 info
maxconn 32000
user haproxy
group haproxy
daemon
nbproc 1
stats socket /tmp/haproxy.sock
defaults
timeout connect 10000
timeout client 30000
timeout server 30000
listen ha_stats 0.0.0.0:8088
balance source
mode http
timeout client 30000ms
stats enable
stats uri /lb?stats
frontend https-requests
mode http
bind :80
bind :443 ssl crt ./haproxy.pem notlsv1
acl is_front hdr(host) -i front.mydomain.com
acl is_service hdr(host) -i service.mydomain.com
use_backend bkfront if is_front
use_backend bkservice if is_service
default_backend mydomain.com
backend mydomain.com
mode http
server mywebsite www.mydomain.com:80
backend bkfront
mode http
balance roundrobin
option httpchk GET / HTTP/1.1\r\nHost:\ front.mydomain.com
server web05 192.168.200.5:80 check
backend bkservice
mode http
balance roundrobin
option httpchk GET / HTTP/1.1\r\nHost:\ service.mydomain.com
server web01 192.168.200.1:80 check
The http and https sessions work very well with firefox but I have problems with chrome and Internet explorer. To solve them, with Stud I need to add --ssl.
Thanks,
SOLUTION:
Thanks to Willy for his help. Below I give the commands to solve this problem:
wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev12.tar.gz
wget http://haproxy.1wt.eu/download/1.5/src/snapshot/haproxy-1.5-dev12-patches-LATEST.tar.gz
tar xvzf haproxy-1.5-dev12.tar.gz
mv haproxy-1.5-dev12-patches-LATEST.tar.gz haproxy-1.5-dev12
cd haproxy-1.5-dev12/
tar xvzf haproxy-1.5-dev12-patches-LATEST.tar.gz
patch -p1 < haproxy-1.5-dev12-patches-20121009/*.diff
make TARGET=linux26 USE_OPENSSL=1
sudo make PREFIX=/opt/haproxy-ssl install
And replace:
bind :443 ssl crt ./haproxy.pem notlsv1
to:
bind :443 ssl crt ./haproxy.pem force-sslv3
Upvotes: 4
Views: 4147
Answers (1)
Reputation: 3424
This is because in OpenSSL, notlsv1 only disables TLSv1.0, not later versions ! If you need this, you'd better download the latest snapshot from the site and use "force-sslv3" instead of "notlsv1". It will force use of SSLv3 exclusively and do what you currently have with stud.
Upvotes: 4
Related Questions
- HAproxy with multiple https sites
- http request to https request using haproxy
- https is not working behind haproxy
- HAProxy http check on for ssl?
- setting up haproxy to listen to ssl
- Haproxy with SSL doesn't works
- setting up ssl on haproxy
- Haproxy Connect with client with public ssl cert and Connect to server with insecure ssl
- HAProxy and SSL Certification
- SSL over HAProxy issue