CODEWITHSUNDEEP
ssl-certificatehaproxy
NeilWang
NeilWang

Reputation: 367

HAProxy http check on for ssl?

I have some web servers which are MySQL backend. An HAProxy is in front of those web servers. All the web servers are using https.

I tried to use the http check option on both http and https to make sure if the database connection was lost, the HAProxy will failover to another node. My haproxy configuration file:

global
        log /dev/log local0
        maxconn 4096
        #debug
        #quiet
        user haproxy
        group haproxy

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        retries 3
        option redispatch
        maxconn 2000
        timeout connect     5000ms
        timeout client      50000ms
        timeout server      50000ms

listen http
       bind *:80
       mode http
       balance roundrobin
       stats enable
       stats auth haproxy:haproxy
       cookie JSESSIONID prefix
       stick on src table https
       option http-server-close
       option forwardfor
       default-server inter 5s fall 2
       option httpchk
       http-check expect ! string Database\ error
       server sitea 192.168.0.20 cookie sitea check port 80
       server siteb 192.168.0.21 cookie siteb check port 80
listen https
       bind *:443
       mode tcp
       balance roundrobin
       stick-table type ip size 5000k expire 2h store conn_cur
       stick on src
       option tcplog
       option ssl-hello-chk
       default-server inter 5s fall 2
       option httpchk
       http-check expect ! string Database\ error
       server sitea 192.168.0.20:443 check ssl verify none
       server siteb 192.168.0.21:443 check ssl verify none

Look at the last two lines. If I specified "ssl verify none", my HAProxy can successfully check both Apache and MySQL status. However, I can't open the webpage via https(it prompts me This site can’t provide a secure connection. ERR_SSL_PROTOCOL_ERROR).

If I remove that parameter, the webpage can be opened again, but all the https servers status become DOWN in the HAProxy.

P.S. I'm using self-signed certificate currently, because I'm still on testing.

Upvotes: 2

Views: 8860

Answers (1)

NeilWang
NeilWang

Reputation: 367

I have found the solution: since I am using https on apache nodes, I have to copy ssl certificates content to haproxy. To do that, copy and merge both private key and the certificate content issued by the CA into one single file(In my case, I put it into /etc/haproxy/haproxy.pem).

Modify the haproxy configuration, change

bind *:443

To

bind *:443 ssl crt /etc/haproxy/haproxy.pem

Upvotes: 1

Related Questions