FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 10-18-2011, 02:52 AM
Tim Dunphy
 
Default haproxy ssl

hello list,

I am attempting to load balance SSL web servers using haproxy on centos 5.7.

I am using HA-Proxy version 1.4.18


Here is the stanza in the config regarding SSL:

listen https 192.168.1.200:443
mode tcp
balance roundrobin
option forwardfor except 192.168.1.200
option redispatch
maxconn 10000
reqadd X-Forwarded-Proto: https
server web1 web1.summitnjhome.com:443 maxconn 5000
server web2 web2.summitnjhome.com:443 maxconn 5000

I can connect to https on each web server and have it serve content. the IP 192.168.1.200 is a virtual IP created with keepalived and floating between two load balancers.


I can connect to the virtual ip via openssl s_connect and GET / where i see the source code for the home page


openssl s_client -connect 192.168.1.200:443


CONNECTED(00000003)
---
Certificate chain
0 s:/C=US/ST=NJ/L=Summit/O=SNJH/CN=*.example.com/emailAddress=bluethundr@example.com
i:/C=US/ST=NJ/L=Summit/O=SNJH/CN=*.example.com/emailAddress=bluethundr@example.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFejCCA2ICCQCjGRFk9cQ13zANBgkqhkiG9w0BAQUFADB/MQswCQYDVQQGEwJV
UzELMAkGA1UECBMCTkoxDzANBgNVBAcTBlN1bW1pdDENMAsGA1 UEChMEU05KSDEb
MBkGA1UEAwwSKi5zdW1taXRuamhvbWUuY29tMSYwJAYJKoZIhv cNAQkBFhdibHVl
dGh1bmRyQGpva2VmaXJlLmNvbTAeFw0xMTA5MjUwMjU4NTRaFw 0xMjA5MjQwMjU4
NTRaMH8xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJOSjEPMA0GA1 UEBxMGU3VtbWl0
MQ0wCwFAKEFDATA4Yj2LgSBwxezlE
CMmqfE0Sg0lgKe3jmyzNHCAHGrzMKVdIUW7UBI+V4wZyE08Mw3 HUh13To6DzBnmp
ET+zvFk5uUnbpzk3FWYFPPxiESuIEQKmi+MzrPnM6hjKc+Caq7 rBxdWvg0d8eNsN
t2+UJxTJpnucgnAtIbAktNlsbYhb4Yw9iFs1YecPqvtaS22ZsC hmlDAwpQYhn88p
OK+K9qOg8bMYThe6xPaAK1sMk+YfmhSPIaT974FYSIeFeY8fFa 8zIZbiUcSxOnyM
fI/xh2uMwJkpxzHBXJWQxP3LZlgghSyuzL9j/g16xLZ3BotYwTGqHzMuoDVXQijq
92YTmeSl5bPaNro1stExh4ug+zk2IqrowciZ1Ehk1vQKCl31Gj LKFX1P3fhwjt0o
/lQBnIgRtBFSI9RVP41+PTPjXXVzhqlgf3h1oFJ36sOQeg8342H u0UWFg6gpy+q/
7iyuVV0CAwEAATANBgkqhkiG9w0BAQUFAAOCAgEABdQxDHPkpQ V+A1RnwGP9nGNC
1uR+MTnuuowiUIEsTkSTipSlviVHlJx8CYDkQ3kcBiPJk6SjuO T8WrFu9D7+nAr8
7SNGknoe7flxhxI0fIqeLaQIncEAliv5mzw/agj2htn7GTmhP3At+JD3e3FYCrLI
kUoom53wLzJvoSu2ixBdY9yLQePC5AYBIlI6RVyCLMPQVen0fv gI7Ecyx+vvpjvD
Cu+rnGKxplPwROlFe2NPrLrV7pnGYGNcLSkO5fF32b3XvKob+x RG+rCUvmYtHA6y
6lEOBz8prwfc6ZTum+9vpb5ONmWtSaYn7mjPR/jw55kLSZ+NggW5YH6lqL8jb8b0
kNHZKgInSFSmoMY2W7pEq4ZQ5S8m5VrruBzqXNnCJ5NmQqF8bM 97k81ATZoZ+r6z
oo51BfFGJSQdnGJNDJnBnl7bf9ynSbkYV3VidRNGHm+Gr/YYP32ITihlZLTioCmk
Wt+2x0xRk5jUS+MjCn5ozYTph3PxU/wW913+HCjDzx0g4fDLYW+YbWmV4zdls/Z7
pxdYaFDR594Ov1H7E2wPZeWBmR+7kT2ZFwOXVQb0qF2Dx5Q0db Z9TEu8rTJ7jdjD
he/odOx11Qmiau/UYd5c0Pop6dJu3NhnlromNSAKR5QlTWE4UerOOyxwV+OklsDt
8qijXOiRdqk4efqL4cs=
-----END CERTIFICATE-----
subject=/C=US/ST=NJ/L=Summit/O=SNJH/CN=*.example.com/emailAddress=bluethundr@example.com
issuer=/C=US/ST=NJ/L=Summit/O=SNJH/CN=*.example.com/emailAddress=bluethundr@example.com
---
No client certificate CA names sent
---
SSL handshake has read 2361 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 74AE373F9F177593D9CF8FFDFE2EDEB6C11958BF03E5315FC4 9C0641A17A6277
Session-ID-ctx:
Master-Key: E4C07C8D40B045FB30F612966F587AC30E3859913795B22D58 6D598F9EB3FE5BD97F6511920793E29EA363FE9A3961DD
Key-Arg : None
Krb5 Principal: None
Start Time: 1318902076
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
<html>
<head>
<img src='Illustration.jpg'</img>
</head>
</html>
closed

For now it's just a demo page with more complex content living deeper in the directory structure.

A port scan with nmap shows that port 443 is open...


[root@VIRTCENT02:~] #nmap -p 443 192.168.1.200

Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2011-10-17 21:59 EDT
Interesting ports on 192.168.1.200:
PORT STATE SERVICE
443/tcp open https


And the port 443 is being listened to..

[root@VIRTCENT02:~] #lsof -i :443
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
haproxy 1763 haproxy 6u IPv4 7586 TCP VIRTUAL.example.com:https (LISTEN)

[root@VIRTCENT01:~] #netstat -tulpn | grep 443
tcp 0 0 192.168.1.200:443 0.0.0.0:* LISTEN 1752/haproxy


But a page will not render in a web page.

Unable to connect

Firefox can't establish a connection to the server at virtual.example.com.

And there is no activity in the haproxy debug logs when I hit the web page at this address which should map to that ip.

[root@VIRTCENT01:~] #host virtual.example.com
virtual.example.com has address 192.168.1.200

Thanks in advance!
tim










_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-18-2011, 08:56 AM
John Doe
 
Default haproxy ssl

From: Tim Dunphy <bluethundr@jokefire.com>

> I am attempting to load balance SSL web servers using haproxy on centos 5.7.
> I am using HA-Proxy version 1.4.18

Never used haproxy but maybe you want 'option ssl-hello-chk'...
But search for "Since haproxy does not handle SSL" in their architecture (although old) doc...
Anyway, you'd get more answers if you ask their mailing list...

JD
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 10-20-2011, 06:19 PM
Pasi Kärkkäinen
 
Default haproxy ssl

On Tue, Oct 18, 2011 at 08:34:13AM -0400, Brian Mathis wrote:
>
> You cannot use haproxy with SSL. You need to terminate the SSL
> connection before reaching haproxy, such as (already mentioned) using
> apache as a front end proxy.
>

apache.. or stunnel, or stux, or nginx, or <you name any other ssl capable frontend here>..

-- Pasi

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 01:24 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org