HTTPS and HTTP over the same port in haproxy
up vote
0
down vote
favorite
I have a server with a Rest API behind haproxy which listens to port 5000. The haproxy config configures port 5000 to accept HTTPS connections from the client and then forwards the message to the server. This works correctly and here is the config for that port:
frontend service-front-1
bind 192.168.122.3:5000 ssl crt /etc/ssl/private/haproxy.pem ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
option httplog
option forwardfor except 127.0.0.0/8
option http-server-close
reqadd X-Forwarded-Proto: https
mode http
default_backend service-back
backend service-back
mode http
balance leastconn
stick store-request src
stick-table type ip size 256k expire 30m
option forwardfor
option httplog
option httpchk HEAD / HTTP/1.0rnUser-agent: osa-haproxy-healthcheck
server controller00_container-442ea37a 172.29.237.76:5000 check port 5000 inter 12000 rise 1 fall 1
In the client side, I have now an application which is unable to do HTTPS and requires to connect to the server. It tries with HTTP to port 5000 but as haproxy is expecting HTTPS for that port, things fail and I get:
Unable to establish connection ('Connection aborted.', BadStatusLine("''",))
Unfortunately, I cannot remove the HTTPS capabilities of port 5000 because some applications are expecting that. So, could I have both capabilities (HTTPS and HTTP) on port 5000? I tried by just adding another front with this config:
frontend service-front-2
bind 192.168.122.3:5000
option httplog
option forwardfor except 127.0.0.0/8
option http-server-close
mode http
default_backend service-back
The result is that it works sometimes. It seems to me that haproxy randomly selects one of the two frontends that define port 5000 and if it is the one that the client expects things work
https haproxy
asked Nov 10 at 15:28
M. Buil
769
add a comment |
up vote
0
down vote
favorite
I have a server with a Rest API behind haproxy which listens to port 5000. The haproxy config configures port 5000 to accept HTTPS connections from the client and then forwards the message to the server. This works correctly and here is the config for that port:
frontend service-front-1
bind 192.168.122.3:5000 ssl crt /etc/ssl/private/haproxy.pem ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
option httplog
option forwardfor except 127.0.0.0/8
option http-server-close
reqadd X-Forwarded-Proto: https
mode http
default_backend service-back
backend service-back
mode http
balance leastconn
stick store-request src
stick-table type ip size 256k expire 30m
option forwardfor
option httplog
option httpchk HEAD / HTTP/1.0rnUser-agent: osa-haproxy-healthcheck
server controller00_container-442ea37a 172.29.237.76:5000 check port 5000 inter 12000 rise 1 fall 1
In the client side, I have now an application which is unable to do HTTPS and requires to connect to the server. It tries with HTTP to port 5000 but as haproxy is expecting HTTPS for that port, things fail and I get:
Unable to establish connection ('Connection aborted.', BadStatusLine("''",))
Unfortunately, I cannot remove the HTTPS capabilities of port 5000 because some applications are expecting that. So, could I have both capabilities (HTTPS and HTTP) on port 5000? I tried by just adding another front with this config:
frontend service-front-2
bind 192.168.122.3:5000
option httplog
option forwardfor except 127.0.0.0/8
option http-server-close
mode http
default_backend service-back
The result is that it works sometimes. It seems to me that haproxy randomly selects one of the two frontends that define port 5000 and if it is the one that the client expects things work
https haproxy
asked Nov 10 at 15:28
M. Buil
769
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I have a server with a Rest API behind haproxy which listens to port 5000. The haproxy config configures port 5000 to accept HTTPS connections from the client and then forwards the message to the server. This works correctly and here is the config for that port:
frontend service-front-1
bind 192.168.122.3:5000 ssl crt /etc/ssl/private/haproxy.pem ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
option httplog
option forwardfor except 127.0.0.0/8
option http-server-close
reqadd X-Forwarded-Proto: https
mode http
default_backend service-back
backend service-back
mode http
balance leastconn
stick store-request src
stick-table type ip size 256k expire 30m
option forwardfor
option httplog
option httpchk HEAD / HTTP/1.0rnUser-agent: osa-haproxy-healthcheck
server controller00_container-442ea37a 172.29.237.76:5000 check port 5000 inter 12000 rise 1 fall 1
In the client side, I have now an application which is unable to do HTTPS and requires to connect to the server. It tries with HTTP to port 5000 but as haproxy is expecting HTTPS for that port, things fail and I get:
Unable to establish connection ('Connection aborted.', BadStatusLine("''",))
Unfortunately, I cannot remove the HTTPS capabilities of port 5000 because some applications are expecting that. So, could I have both capabilities (HTTPS and HTTP) on port 5000? I tried by just adding another front with this config:
frontend service-front-2
bind 192.168.122.3:5000
option httplog
option forwardfor except 127.0.0.0/8
option http-server-close
mode http
default_backend service-back
The result is that it works sometimes. It seems to me that haproxy randomly selects one of the two frontends that define port 5000 and if it is the one that the client expects things work
https haproxy
asked Nov 10 at 15:28
M. Buil
769
I have a server with a Rest API behind haproxy which listens to port 5000. The haproxy config configures port 5000 to accept HTTPS connections from the client and then forwards the message to the server. This works correctly and here is the config for that port:
frontend service-front-1
bind 192.168.122.3:5000 ssl crt /etc/ssl/private/haproxy.pem ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
option httplog
option forwardfor except 127.0.0.0/8
option http-server-close
reqadd X-Forwarded-Proto: https
mode http
default_backend service-back
backend service-back
mode http
balance leastconn
stick store-request src
stick-table type ip size 256k expire 30m
option forwardfor
option httplog
option httpchk HEAD / HTTP/1.0rnUser-agent: osa-haproxy-healthcheck
server controller00_container-442ea37a 172.29.237.76:5000 check port 5000 inter 12000 rise 1 fall 1
In the client side, I have now an application which is unable to do HTTPS and requires to connect to the server. It tries with HTTP to port 5000 but as haproxy is expecting HTTPS for that port, things fail and I get:
Unable to establish connection ('Connection aborted.', BadStatusLine("''",))
Unfortunately, I cannot remove the HTTPS capabilities of port 5000 because some applications are expecting that. So, could I have both capabilities (HTTPS and HTTP) on port 5000? I tried by just adding another front with this config:
frontend service-front-2
bind 192.168.122.3:5000
option httplog
option forwardfor except 127.0.0.0/8
option http-server-close
mode http
default_backend service-back
The result is that it works sometimes. It seems to me that haproxy randomly selects one of the two frontends that define port 5000 and if it is the one that the client expects things work
https haproxy
https haproxy
asked Nov 10 at 15:28
M. Buil
769
asked Nov 10 at 15:28
M. Buil
769
asked Nov 10 at 15:28
M. Buil
769
asked Nov 10 at 15:28
M. Buil
769
asked Nov 10 at 15:28
M. Buil
769
769
add a comment |
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53240430%2fhttps-and-http-over-the-same-port-in-haproxy%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
