Hello,
I've been trying to diagnose an odd issue with HAProxy (1.5.x)
statistics and SSL. I'm seeing clients having problems with the SSL
negotiation. When digging with openssl, there seems to be a clear text
http 1.x response which causes the negotiation to fail:
$ openssl s_client -debug -connect lb.com:44300
CONNECTED(00000003)
write to 0x7f96a3504c70 [0x7f96a3804200] (130 bytes => 130 (0x82))
0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00 ......W... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00 ..3..2../.......
0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00 ................
0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11 .........@......
0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00 ................
0060 - 00 ff 79 2a 0a d7 d8 37-c8 50 b6 f7 c3 8e ce 96 ..y*...7.P......
0070 - cf 2b d9 b8 92 c5 6f 1f-74 7f c0 d1 22 46 71 7a .+....o.t..."Fqz
0080 - e2 b4 ..
read from 0x7f96a3504c70 [0x7f96a3809800] (7 bytes => 7 (0x7))
0000 - 48 54 54 50 2f 31 2e HTTP/1.
1371:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/s23_clnt.c:618:
$ telnet lb.com 44300
Trying X.X.X.X...
Connected to X.X.X.X.
Escape character is '^]'.
GET /
HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>
The proxy log doesn't have anything that helps me understand what's
going on:
Jun 15 16:47:44 lb.com haproxy[430]: X.X.X.X:55877
[15/Jun/2015:16:47:44.967] stats stats/<NOSRV> -1/-1/-1/-1/0 400 187 - -
PR-- 0/0/0/0/3 0/0 "<BADREQ>"
The pertinent configuration sections are:
global
log 127.0.0.1 local1 info
maxconn 10240
chroot /usr/share/haproxy
user haproxy
group haproxy
daemon
# local stats sockets for read access - change "operator" to
"admin" for r/w
stats socket /var/run/haproxy/haproxy.sock mode 0600 level operator
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
# Set global SSL bind options
ssl-default-bind-options no-sslv3 no-tls-tickets
tune.ssl.default-dh-param 2048
ssl-server-verify none
defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
maxconn 10240
# Mime types from here:
#
http://blogs.alfresco.com/wp/developer/2013/11/13/haproxy-for-alfresco/
# and here
# http://serverfault.com/questions/575744/nginx-mime-types-and-gzip
compression algo gzip
compression type text/plain text/html text/html;charset=utf-8
text/css text/javascript application/json
listen stats :44300
bind *:44300 ssl crt /etc/ssl/private/the.pem.withkey.pem
mode http
http-request deny if !{ ssl_fc }
stats enable
stats refresh 5s
stats uri /stats
stats realm "proxies"
stats show-node
stats show-legends
option httplog
option contstats
acl auth_ok_stats http_auth(users_stats)
http-request auth if !auth_ok_stats
Does anyone have any insight?
Thank you in advance,
Matt
I've been trying to diagnose an odd issue with HAProxy (1.5.x)
statistics and SSL. I'm seeing clients having problems with the SSL
negotiation. When digging with openssl, there seems to be a clear text
http 1.x response which causes the negotiation to fail:
$ openssl s_client -debug -connect lb.com:44300
CONNECTED(00000003)
write to 0x7f96a3504c70 [0x7f96a3804200] (130 bytes => 130 (0x82))
0000 - 80 80 01 03 01 00 57 00-00 00 20 00 00 39 00 00 ......W... ..9..
0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0 8..5............
0020 - 00 00 33 00 00 32 00 00-2f 00 00 9a 00 00 99 00 ..3..2../.......
0030 - 00 96 03 00 80 00 00 05-00 00 04 01 00 80 00 00 ................
0040 - 15 00 00 12 00 00 09 06-00 40 00 00 14 00 00 11 .........@......
0050 - 00 00 08 00 00 06 04 00-80 00 00 03 02 00 80 00 ................
0060 - 00 ff 79 2a 0a d7 d8 37-c8 50 b6 f7 c3 8e ce 96 ..y*...7.P......
0070 - cf 2b d9 b8 92 c5 6f 1f-74 7f c0 d1 22 46 71 7a .+....o.t..."Fqz
0080 - e2 b4 ..
read from 0x7f96a3504c70 [0x7f96a3809800] (7 bytes => 7 (0x7))
0000 - 48 54 54 50 2f 31 2e HTTP/1.
1371:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown
protocol:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/s23_clnt.c:618:
$ telnet lb.com 44300
Trying X.X.X.X...
Connected to X.X.X.X.
Escape character is '^]'.
GET /
HTTP/1.0 403 Forbidden
Cache-Control: no-cache
Connection: close
Content-Type: text/html
<html><body><h1>403 Forbidden</h1>
Request forbidden by administrative rules.
</body></html>
The proxy log doesn't have anything that helps me understand what's
going on:
Jun 15 16:47:44 lb.com haproxy[430]: X.X.X.X:55877
[15/Jun/2015:16:47:44.967] stats stats/<NOSRV> -1/-1/-1/-1/0 400 187 - -
PR-- 0/0/0/0/3 0/0 "<BADREQ>"
The pertinent configuration sections are:
global
log 127.0.0.1 local1 info
maxconn 10240
chroot /usr/share/haproxy
user haproxy
group haproxy
daemon
# local stats sockets for read access - change "operator" to
"admin" for r/w
stats socket /var/run/haproxy/haproxy.sock mode 0600 level operator
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
# Set global SSL bind options
ssl-default-bind-options no-sslv3 no-tls-tickets
tune.ssl.default-dh-param 2048
ssl-server-verify none
defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
maxconn 10240
# Mime types from here:
#
http://blogs.alfresco.com/wp/developer/2013/11/13/haproxy-for-alfresco/
# and here
# http://serverfault.com/questions/575744/nginx-mime-types-and-gzip
compression algo gzip
compression type text/plain text/html text/html;charset=utf-8
text/css text/javascript application/json
listen stats :44300
bind *:44300 ssl crt /etc/ssl/private/the.pem.withkey.pem
mode http
http-request deny if !{ ssl_fc }
stats enable
stats refresh 5s
stats uri /stats
stats realm "proxies"
stats show-node
stats show-legends
option httplog
option contstats
acl auth_ok_stats http_auth(users_stats)
http-request auth if !auth_ok_stats
Does anyone have any insight?
Thank you in advance,
Matt