0

In my network i have a DNS server, a HAProxy server and 2 webservers. When i try to go through the haproxy (getting the domain IP from the DNS server) it gives me a different error then when i go without it.

I don't care much about http connection w/ haproxy just ssl so fixing that isn't a priority. When i do the next curl commands without haproxy (writing server ip in /etc/hosts) i get:

$ curl http://www.catsfood.com
<h1>www.catsfood.com</h1>
<h1>IP is: 10.0.0.14</h1>

$ curl https://www.catsfood.com -lv
*   Trying 10.0.0.14:443...
* Connected to www.catsfood.com (10.0.0.14) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/pki/tls/certs/ca-bundle.crt
*  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Through HAProxy server:

$ curl https://www.catsfood.com -lv
*   Trying 10.0.0.17:443...
* Connected to www.catsfood.com (10.0.0.17) port 443 (#0)
...
*  subjectAltName: host "www.catsfood.com" matched cert's "www.catsfood.com"
*  issuer: C=IL; ST=Tel-Aviv; L=TLV; O=Ben Ltd; OU=Ben Ltd; CN=www.ben.com; m
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.catsfood.com
> User-Agent: curl/7.76.1
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* TLSv1.3 (IN), TLS alert, close notify (256):
* Empty reply from server
* Closing connection 0
* TLSv1.3 (OUT), TLS alert, close notify (256):
curl: (52) Empty reply from server

$ curl http://www.catsfood.com -lv
*   Trying 10.0.0.17:80...
* Connected to www.catsfood.com (10.0.0.17) port 80 (#0)
> GET / HTTP/1.1
> Host: www.catsfood.com
> User-Agent: curl/7.76.1
> Accept: */*
> 
* Empty reply from server
* Closing connection 0
curl: (52) Empty reply from server

The httpd.conf file is the same as the default one but added Listen 443
haproxy.cfg:

frontend web_frontend
  bind *:80
  bind *:443 ssl crt /etc/ssl/certs/apache-selfsigned.pem
  mode tcp
  option tcplog
  default_backend web1
  acl ACL_bighead.com hdr(host) -i www.bighead.com
  acl ACL_bighead.com hdr(host) -i bighead.com
  use_backend web2 if ACL_bighead.com

backend web1
    mode tcp
    option tcplog
    option tcp-check
    server web01 10.0.0.14:443 check ssl verify none

backend web2
    mode tcp
    option tcplog
    option tcp-check
    server web02 10.0.0.15:443 check ssl verify none

ssl.conf

<VirtualHost www.bighead.com:443>
ServerAdmin [email protected]
DocumentRoot /var/www/html
ServerName www.bighead.com:443
ErrorLog /var/log/httpd/error_log
SSLEngine on
SSLCertificateFile /etc/ssl/certs/apache-selfsigned.crt
SSLCertificateKeyFile /etc/ssl/private/apache-selfsigned.key
SSLUseStapling off
</VirtualHost>



SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff

SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
Improve this question

1 Answer 1

Reset to default
3

Don't put domain names in the <VirtualHost> tag. That's not what the field is for. If you want to match against the HTTP 'Host:' header (or against the TLS SNI), use ServerName and ServerAlias.

The <VirtualHost> tag takes a local IP address that'll be matched against whatever local address received the HTTP connection on the web server. This feature is used for IP-based virtual hosts (where each vhost has a dedicated IP address); not for name-based virtual hosts.

So for example, if the domain www.bighead.com points at the HAproxy server, then your Apache config works as if you actually specified <VirtualHost 10.0.0.17:443>, and that isn't going to match any connection to the web server (whose address is still 10.0.0.14!).

The OpenSSL error message "ssl3_get_record:wrong version number" usually indicates that it has received something that isn't a SSL/TLS packet at all – e.g. the server might have sent a plaintext HTTP response. (You could use tcpdump to find out.)

Why would the server send a plaintext HTTP response on a HTTPS port? Probably because the connection didn't match any virtual host that would have SSLEngine On – which is probably because you put the wrong addresses in all of your VirtualHost tags.

Generally, all your plain HTTP vhosts should use <VirtualHost *:80> and all your HTTPS virtual hosts should use <VirtualHost *:443> unless you have a specific need to do otherwise.

Improve this answer
1
  • Omg you are amazing! Ty very much :D The problem was indeed the virtual host tag, changed it on the server to * and it indeed worked! Ty very much :D
    – ben shalev
    Commented May 31, 2021 at 9:38

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .