Dialog between wildfly and haproxy - Invalid PROXY protocol header

Question

I have one linux machine with 2 Wildfly servers listening on 2 différents https ports. I have one domain and 2 sub-domain: aa.mydomain.fr et bb.mydomain.fr that i redirect to my 2 wildlfy servers using a Haproxy (i didn't find other solutions to redirect 2 sub-domain in dealing with 2 different https ports and one linux server IP)

My HapProxy server configuration (for aa.mydomain.fr only):

global
    log 127.0.0.1:514 local0 info
    daemon
    maxconn 4096
    tune.ssl.default-dh-param 1024
    ssl-default-bind-options ssl-min-ver TLSv1.2
defaults
    mode http
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms
    log global
    option httplog
    option forwardfor
frontend http-in
    bind linux_server_ip:80
    acl is_demo_site hdr_end(host) aa.mydomain.fr
    use_backend demo_site if is_demo_site
frontend https-in
    bind linux_server_ip:443 ssl crt /etc/haproxy/cert/mycert.pem
    acl is_demo_https_site hdr_end(host) aa.mydomain.fr
    use_backend demo_https_site if is_demo_https_site
backend demo_site
    server s1 linux_server_ip:8xxx maxconn 32
backend demo_https_site
    server s3 linux_server_ip:8yyy maxconn 32
    http-request set-header X-Forwarded-Proto https

My wildfly server conf for sub-domain aa.mydomain.fr:

<subsystem xmlns="urn:jboss:domain:undertow:8.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
            <buffer-cache name="default"/>
            <server name="default-server">
                <http-listener name="default" socket-binding="http" redirect-socket="https" proxy-address-forwarding="true" enable-http2="true"/>
                <https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true" proxy-protocol="true"/>
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <access-log pattern="%a %t %H %p %U %s %S %T" directory="${jboss.home.dir}/standalone/log" prefix="access_"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                </host>
            </server>
            <servlet-container name="default">
                <jsp-config/>
                <websockets/>
            </servlet-container>
            <handlers>
                <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
            </handlers>
</subsystem>

<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
...
        <socket-binding name="http" port="${jboss.http.port:8xxx}"/>
        <socket-binding name="https" port="${jboss.https.port:8yyy}"/>
...
  </socket-binding-group>    

The http redirection works fine but not the https one which return an 502 error code bad Gateway and i have this error message in my wildfly server log:

2019-09-10 10:47:11,746 TRACE [org.xnio.nio] (default I/O-2) Running task org.xnio.nio.QueuedNioTcpServer$1@7b85bf52
2019-09-10 10:47:11,746 TRACE [org.xnio.nio] (default I/O-2) Running task org.xnio.nio.NioHandle$1@dd77838
2019-09-10 10:47:11,746 DEBUG [io.undertow.request.io] (default I/O-2) UT005013: An IOException occurred: java.io.IOException: UT000179: Invalid PROXY protocol header
at io.undertow.core@2.0.15.Final//io.undertow.server.protocol.proxy.ProxyProtocolReadListener.handleEvent(ProxyProtocolReadListener.java:90)
at io.undertow.core@2.0.15.Final//io.undertow.server.protocol.proxy.ProxyProtocolReadListener.handleEvent(ProxyProtocolReadListener.java:34)
at org.jboss.xnio@3.6.5.Final//org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.jboss.xnio@3.6.5.Final//org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
at org.jboss.xnio.nio@3.6.5.Final//org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
at org.jboss.xnio.nio@3.6.5.Final//org.xnio.nio.NioHandle$1.run(NioHandle.java:50)
at org.jboss.xnio.nio@3.6.5.Final//org.xnio.nio.WorkerThread.safeRun(WorkerThread.java:612)
at org.jboss.xnio.nio@3.6.5.Final//org.xnio.nio.WorkerThread.run(WorkerThread.java:479)
2019-09-10 10:47:11,747 TRACE [org.xnio.nio] (default I/O-2) Cancelling key channel=java.nio.channels.SocketChannel[connected local=/linux_server_ip:8xxx remote=/linux_server_ip:49866], selector=sun.nio.ch.EPollSelectorImpl@4a7d8873, interestOps=1, readyOps=0 of java.nio.channels.SocketChannel[connected local=/linux_server_ip:8xxx remote=/linux_server_ip:49866] (same thread)
2019-09-10 10:47:11,747 TRACE [org.xnio.nio] (default I/O-2) Added task org.xnio.nio.QueuedNioTcpServer$2@1939a2a9

Details of the error:

    private static final byte[] NAME = "PROXY ".getBytes(StandardCharsets.US_ASCII);
… 
    public void handleEvent(StreamSourceChannel streamSourceChannel) {
        PooledByteBuffer buffer = bufferPool.allocate();
        boolean freeBuffer = true;
        try {
            for (; ; ) {
                int res = streamSourceChannel.read(buffer.getBuffer());
                if (res == -1) {
                    IoUtils.safeClose(streamConnection);
                    return;
                } else if (res == 0) {
                    return;
                } else {
                    buffer.getBuffer().flip();
                    while (buffer.getBuffer().hasRemaining()) {
                        char c = (char) buffer.getBuffer().get();
                        if (byteCount < NAME.length) {
                            //first we verify that we have the correct protocol
                            if (c != NAME[byteCount]) {
                                throw **UndertowMessages.MESSAGES.invalidProxyHeader()**;
                            }
…

Notes:

1. I use a "Let's encrypt" SSL certificat.

2. I get the same error code if i remove the "option forwardfor" in the Haproxy conf.

3. If i add "accept-proxy" in frontend https-in section and "send-proxy" in backend demo_https_site, i get the Following message in haproxy.log: "Received something which does not look like a PROXY protocol header".

4. When i monitor the header request with FF monitor tools, i don't see X-Forwarded detail...

Software details: Haproxy v1.8.8/Wildfly v15.0.1

I don't know if the issue come from my wildfly conf or my haproxy conf, can somebody suggest idea or fix please ?

Best regards.

Answer 1

One way I think you could fix this is by adding proxy protocol to your https proxy with the send-proxy or send-proxy-v2 option. e.g:

backend demo_https_site
    server s3 linux_server_ip:8yyy maxconn 32 send-proxy

Another way would be to remove proxy-protocol from wildfly, e.g:

<https-listener name="https" socket-binding="https" security-realm="ApplicationRealm" enable-http2="true"/>

However, this will means the client's source ip would have to be derived from the X-Forwarded-For header.