Ahoj,
v patek jsem si testnul konfiguraci haproxy jako tcp proxy pro ssl spojeni vuci nginxi. Po urcitem patrani se to rozbehlo. Dneska to ale prestalo fungovat a ja netusim proc.
debian9, haproxy 1.7.5, nginx 1.10.3
haproxy:
frontend ssl
bind *:443
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req.ssl_hello_type 1 }
use_backend backends-ssl if { req.ssl_sni -i web.domain.tld }
# default_backend backends-ssl
backend backends-ssl
balance roundrobin
stick-table type ip size 1m expire 6h peers proxypeers
stick on src
option httpchk HEAD / HTTP/1.1\r\nHost:\ default.domain.tld\r\n\User-Agent:\ haproxy
default-server inter 5s fall 3 rise 2
mode tcp
server w01 IP1:443 check ssl verify none send-proxy
server w02 IP2:443 check ssl verify none send-proxy
nginx "default" server {}:
listen 443 ssl proxy_protocol default_server;
real_ip_header proxy_protocol;
nginx "web" server {}:
listen 443 ssl;
real_ip_header proxy_protocol;
Z logu haproxy vyplyva, ze se jsou w01 a w02 online. Dale, ze pozadavek na "web" je smerovan na nektery z backendu. Jenze vysledek je tento:
firefox: SSL_ERROR_RX_RECORD_TOO_LONG
curl: * ALPN, offering http/1.1
* gnutls_handshake() failed: An unexpected TLS packet was received.
* Closing connection 0
curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received.
nginx: IP - - - [17/Jul/2017:13:13:50 +0200] "_" "\x16\x03\x01\x01\x13\x01\x00\x01\x0F\x03\x03Yl\x9B\x84.\xB9'?\x1A." 400 166 "-" "-" 0.003
Co jsem patral, tak jako kdyby nginx najednou ignoroval "proxy_protocol" (typ v2). Zkouska s "send-proxy{-ssl|-v2}" v haproxy nic nezmenila. Podle dokumentace nginx by melo byt "proxy_protocol" definovane na prvnim "listen" pro dany port. Pokud je abecedne "default" pred "web", tak by to melo fungovat. Nevi nekdo, v cem je zadrhel?
Diky, MP