https is not working behind haproxy

Question

I have to put haproxy in front of my already running Apache web-server. Both haproxy and apache web-server are on separate Cent-OS6.4 machines. I had installed haproxy-1.5-dev19.el6.x86_64 and it is working fine with http, but getting below error with https:- "502 Bad Gateway: The server returned an invalid or incomplete response".

haproxy logs are shown below:

Nov  7 05:49:56 localhost haproxy[9925]: XX.XX.XXX.XX:51949
[07/Nov/2013:05:49:55.204] https-in~ abc-https/server1
1595/0/1/-1/1597 502 714 - - PHNN 2/2/0/0/0 0/0 "GET / HTTP/1.1"

Nov  7 05:49:57 localhost haproxy[9925]: XX.XX.XXX.XX:51947
[07/Nov/2013:05:49:55.972] https-in~ abc-https/server1
1523/0/1/-1/1525 502 714 - - PHNN 1/1/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"

SSL logs on webserver (request behind proxy):

10.0.0.218 - - [06/Nov/2013:22:42:34 -0800] **"GET /"** 400 510
10.0.0.218 - - [06/Nov/2013:22:42:34 -0800] "GET /" 400 510

SSL logs on webserver (direct request):

XX.XX.XX.XX - - [06/Nov/2013:22:48:42 -0800] **"GET / HTTP/1.1"** 200 19553

As you can see the difference between proxy and without proxy at webserver.

Below is my haproxy.cfg file:

global
    log         127.0.0.1 local2
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     40000
    user        haproxy
    group       haproxy
    daemon

    stats socket /var/lib/haproxy/stats

defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor   
    option                  redispatch
    retries                 10
    timeout http-request    60s
    timeout queue           60s
    timeout connect         60s
    timeout client          60s
    timeout server          60s
    timeout http-keep-alive 60s
    timeout check           60s
    maxconn                 30000

Listen stats 0.0.0.:8880
    stats enable
    stats hide-version
    stats uri   /
    Stats realm HAProxy\ Statistics
    stats auth XXXXX:XXXXX

frontend http-in
    bind *:80
    acl url_static       path_beg       -i /static /images /javascript /stylesheets
    acl url_static       path_end       -i .jpg .gif .png .css .js
    tcp-request connection accept if { src -f /etc/haproxy/whitelist.lst } 
    tcp-request connection reject if { src_conn_cur ge 200 }   tcp-request
    connection track-sc1 src

    use_backend http-in-static if url_static
    default_backend           http-in-bk

frontend https-in
    bind *:443 ssl crt /home/ec2-user/ev/haproxy.pem
    http-request add-header X-Proto https if { ssl_fc }
    use_backend abc-https if {ssl_fc}

backend abc-https
    server server1 10.0.0.16:443 check 

backend http-in-static
     server static 10.0.0.16:80 check inter 100 weight 1

backend http-in-bk
    acl abuse src_http_err_rate(http-in) ge 100
    acl flag_abuser src_inc_gpc0(http-in)
    tcp-request content reject if abuse flag_abuser
    server  server1 10.0.0.16:80 check  inter 100 weight 1

There is only one webserver which is already running and I have to implement haproxy in front of that.

Where I am doing wrong? Kindly help me to resolve this issue.

Regards,

Komal Pal

Answer 1

You are decrypting the SSL traffic and then sending the plaintext HTTP to an HTTPS socket on your webserver.

In this setup you would normally send it to port 80 on the webserver, because you have already decrypted it.

If you want to re-encrypt you must change your "server xxx" line to have the flag "ssl" on it as well.