In my network i have a DNS server, a HAProxy server and 2 webservers. When i try to go through the haproxy (getting the domain IP from the DNS server) it gives me a different error then when i go without it.
I don't care much about http connection w/ haproxy just ssl so fixing that isn't a priority. When i do the next curl commands without haproxy (writing server ip in /etc/hosts) i get:
$ curl http://www.catsfood.com
<h1>www.catsfood.com</h1>
<h1>IP is: 10.0.0.14</h1>
$ curl https://www.catsfood.com -lv
* Trying 10.0.0.14:443...
* Connected to www.catsfood.com (10.0.0.14) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number
Through HAProxy server:
$ curl https://www.catsfood.com -lv
* Trying 10.0.0.17:443...
* Connected to www.catsfood.com (10.0.0.17) port 443 (#0)
...
* subjectAltName: host "www.catsfood.com" matched cert's "www.catsfood.com"
* issuer: C=IL; ST=Tel-Aviv; L=TLV; O=Ben Ltd; OU=Ben Ltd; CN=www.ben.com; m
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.catsfood.com
> User-Agent: curl/7.76.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.3 (IN), TLS alert, close notify (256):
* Empty reply from server
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (52) Empty reply from server
$ curl http://www.catsfood.com -lv
* Trying 10.0.0.17:80...
* Connected to www.catsfood.com (10.0.0.17) port 80 (#0)
> GET / HTTP/1.1
> Host: www.catsfood.com
> User-Agent: curl/7.76.1
> Accept: */*
>
* Empty reply from server
* Closing connection 0
curl: (52) Empty reply from server
The httpd.conf file is the same as the default one but added Listen 443
haproxy.cfg:
frontend web_frontend
bind *:80
bind *:443 ssl crt /etc/ssl/certs/apache-selfsigned.pem
mode tcp
option tcplog
default_backend web1
acl ACL_bighead.com hdr(host) -i www.bighead.com
acl ACL_bighead.com hdr(host) -i bighead.com
use_backend web2 if ACL_bighead.com
backend web1
mode tcp
option tcplog
option tcp-check
server web01 10.0.0.14:443 check ssl verify none
backend web2
mode tcp
option tcplog
option tcp-check
server web02 10.0.0.15:443 check ssl verify none
ssl.conf
<VirtualHost www.bighead.com:443>
ServerAdmin [email protected]
DocumentRoot /var/www/html
ServerName www.bighead.com:443
ErrorLog /var/log/httpd/error_log
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
SSLUseStapling off
</VirtualHost>
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"