Hi Folks,
I'm working with a set of HAProxy backends (both 1.5 and 1.6 branch) and
often one HAProxy will be relaying to another before arriving at the
origin that will serve the request.
Much of this traffic is HTTP but I am adding a channel for HTTPS as well,
and using an SSL-enabled backend for HTTPS requests.
Let's say a request comes like this: Client (browser) -> "Edge" (HAProxy)
-> "Local" (HAProxy) -> Origin (apache, nginx, etc). In this particular
test, "Edge" is HAProxy 1.6.3, and "Local" is HAProxy 1.5.14
What I've found is that if I enable the "strict-sni" option on "Local",
the health checks from "Edge" fail with 'reason: Layer6 invalid response,
info: "SSL handshake failure", check duration: 8ms"'. In the logs on
"Local" I see "http/2: SSL handshake failure"
Initially I was using a backend declaration like this:
server hostname-ssl-01 IP:443 check-ssl ssl ca-file /path/to/ca/certs
Once I enabled strict-sni on the "Local" side, the health checks stopped
working. So, I added the verifyhost directive in the hopes of being able
to specify the SNI host rather than depending on a default cert:
server hostname-ssl-01 IP:443 check-ssl ssl ca-file verifyhost
www.hostname.com /path/to/ca/certs
Alas, I get the same SSL handshake error. Is this not expected to work?
I know I can do other things like use health checks from an HTTP backend,
but I would both like to have SSL health checks on SSL ports, as well as
turn off the default certificate by using strict-sni so that domains
hosted without SSL certificates get a more appropriate error (unable to
connect / no cert) instead of a message about a certificate that does not
match when they are served the default cert.
Also, it's worth mentioning that verifyhost is working as expected, in
that if it's specified on the server line, the SSL handshake will fail if
the "Local" HAProxy server does not have a certificate installed for the
domain in question. So, this leads me to believe that SNI can and is used
by the SSL-enabled server.
--
Best Regards,
Mark Staudinger
"Why DIY when you can NYI?"
I'm working with a set of HAProxy backends (both 1.5 and 1.6 branch) and
often one HAProxy will be relaying to another before arriving at the
origin that will serve the request.
Much of this traffic is HTTP but I am adding a channel for HTTPS as well,
and using an SSL-enabled backend for HTTPS requests.
Let's say a request comes like this: Client (browser) -> "Edge" (HAProxy)
-> "Local" (HAProxy) -> Origin (apache, nginx, etc). In this particular
test, "Edge" is HAProxy 1.6.3, and "Local" is HAProxy 1.5.14
What I've found is that if I enable the "strict-sni" option on "Local",
the health checks from "Edge" fail with 'reason: Layer6 invalid response,
info: "SSL handshake failure", check duration: 8ms"'. In the logs on
"Local" I see "http/2: SSL handshake failure"
Initially I was using a backend declaration like this:
server hostname-ssl-01 IP:443 check-ssl ssl ca-file /path/to/ca/certs
Once I enabled strict-sni on the "Local" side, the health checks stopped
working. So, I added the verifyhost directive in the hopes of being able
to specify the SNI host rather than depending on a default cert:
server hostname-ssl-01 IP:443 check-ssl ssl ca-file verifyhost
www.hostname.com /path/to/ca/certs
Alas, I get the same SSL handshake error. Is this not expected to work?
I know I can do other things like use health checks from an HTTP backend,
but I would both like to have SSL health checks on SSL ports, as well as
turn off the default certificate by using strict-sni so that domains
hosted without SSL certificates get a more appropriate error (unable to
connect / no cert) instead of a message about a certificate that does not
match when they are served the default cert.
Also, it's worth mentioning that verifyhost is working as expected, in
that if it's specified on the server line, the SSL handshake will fail if
the "Local" HAProxy server does not have a certificate installed for the
domain in question. So, this leads me to believe that SNI can and is used
by the SSL-enabled server.
--
Best Regards,
Mark Staudinger
"Why DIY when you can NYI?"