Hi,I am trying to solve this unique problem for a client who has wants to limit my access to only one IP coming into his firewall.and as i did not want to distribute my app servers IP. I am thinking of using haproxy in an TCP mode so it can just do layer 4 routing .e.g
My Application (appl 1) sends data to haproxy
and
Haproxy sends data to the client web-service
I was able to get this to work over http but when i try over https i get and error
First issue i have i don't see any log activity in the haproxy.log.....may be i am missing a config???
Second issue is that https redirection
Here is what works$ curl -vL http://<haproxy_IP>/matest.php
* Trying <haproxy_IP>...
* Connected to <haproxy_IP> (127.0.0.1) port 80 (#0)
> GET /matest.php HTTP/1.1
> Host: <haproxy_IP>
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sat, 30 Jan 2016 00:51:55 GMT
< Server: Apache
< X-Powered-By: PHP/5.5.30
< MS-Author-Via: DAV
< Content-Length: 28
< Content-Type: text/html
<
Here is what does not work
$ curl -vL https://<haproxyIP>:443/matest.php
* Trying <haproxy_IP>...
* Connected to <haproxy_IP> (127.0.0.1) port 443 (#0)
* WARNING: using IP address, SNI is being disabled by the OS.
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake
and
$ curl -vL http://<haproxy_IP>:443/matest.php
* Trying <haproxy_IP>...
* Connected to <haproxy_IP> (127.0.0.1) port 443 (#0)
> GET /matest.php HTTP/1.1
> Host: <haproxy_IP>:443
> User-Agent: curl/7.43.0
> Accept: */*
>
* Empty reply from server
* Connection #0 to host <haproxy_IP> left intact
curl: (52) Empty reply from server
Here is my Sample config
global
log /dev/log local0
log /dev/log local1 notice
maxconn 4096
chroot /usr/share/haproxy
user haproxy
group haproxy
daemon
defaults
log global
mode tcp
option tcplog
option dontlognull
retries 3
maxconn 2000
timeout http-request 5s
timeout connect 5000
timeout client 180s
timeout server 180s
frontend www-http
bind *:80
default_backend test-http
frontend www-https
bind *:443
default_backend test-https
backend test-http
server ABC 2.1.9.1:80
backend test-https
server ABC 2.1.9.1:443
Either i am doing something fundamentally wrong or i am confused with some of the terms of TCPIP connections...Well if the answer is that this will only work on port 80 because the SSL certificate cannot detemine the authenticity of the request, then will it help if i load the destination server's SSL cert into my haproxy ?
Hope someone can help here
Thanks
My Application (appl 1) sends data to haproxy
and
Haproxy sends data to the client web-service
I was able to get this to work over http but when i try over https i get and error
First issue i have i don't see any log activity in the haproxy.log.....may be i am missing a config???
Second issue is that https redirection
Here is what works$ curl -vL http://<haproxy_IP>/matest.php
* Trying <haproxy_IP>...
* Connected to <haproxy_IP> (127.0.0.1) port 80 (#0)
> GET /matest.php HTTP/1.1
> Host: <haproxy_IP>
> User-Agent: curl/7.43.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sat, 30 Jan 2016 00:51:55 GMT
< Server: Apache
< X-Powered-By: PHP/5.5.30
< MS-Author-Via: DAV
< Content-Length: 28
< Content-Type: text/html
<
Here is what does not work
$ curl -vL https://<haproxyIP>:443/matest.php
* Trying <haproxy_IP>...
* Connected to <haproxy_IP> (127.0.0.1) port 443 (#0)
* WARNING: using IP address, SNI is being disabled by the OS.
* Server aborted the SSL handshake
* Closing connection 0
curl: (35) Server aborted the SSL handshake
and
$ curl -vL http://<haproxy_IP>:443/matest.php
* Trying <haproxy_IP>...
* Connected to <haproxy_IP> (127.0.0.1) port 443 (#0)
> GET /matest.php HTTP/1.1
> Host: <haproxy_IP>:443
> User-Agent: curl/7.43.0
> Accept: */*
>
* Empty reply from server
* Connection #0 to host <haproxy_IP> left intact
curl: (52) Empty reply from server
Here is my Sample config
global
log /dev/log local0
log /dev/log local1 notice
maxconn 4096
chroot /usr/share/haproxy
user haproxy
group haproxy
daemon
defaults
log global
mode tcp
option tcplog
option dontlognull
retries 3
maxconn 2000
timeout http-request 5s
timeout connect 5000
timeout client 180s
timeout server 180s
frontend www-http
bind *:80
default_backend test-http
frontend www-https
bind *:443
default_backend test-https
backend test-http
server ABC 2.1.9.1:80
backend test-https
server ABC 2.1.9.1:443
Either i am doing something fundamentally wrong or i am confused with some of the terms of TCPIP connections...Well if the answer is that this will only work on port 80 because the SSL certificate cannot detemine the authenticity of the request, then will it help if i load the destination server's SSL cert into my haproxy ?
Hope someone can help here
Thanks