Ejabberd with haproxy ssl termination

Question

anyone got successful with ejabberd + ssl termination with haproxy 1.7?

frontend ejabberd   
bind *:4000 ssl crt /etc/haproxy/certs/my-domain.com.pem
mode tcp
timeout client  3h

option tcplog

option clitcpka

default_backend ejabberd

backend ejabberd
mode tcp

timeout server  60m 

option redispatch

option srvtcpka

option independent-streams

balance leastconn

default-server inter 5s rise 3 fall 3 on-marked-down shutdown-sessions

server ejabberd localhost:5222 check slowstart 120s

it works fine without ssl crt. My smack client gives me a No response received within reply timeout. Timeout was 5000ms (~5s). While waiting for establishing TLS.

I also tried with or without ttls on ejabberd conf

Answer 1

I was able to have the exact configuration working, you need to:

1. Disable tls in ejabberd since HAProxy is doing the ssl offloading and ejabberd is hosted in the same machine:

   • Comment the certfile line
   • Comment the starttls line

2. Correctly configure your client, I have used pidgin, but you should be able to do the same with smack:

   • Configure correctly address and port (4000 here)
   • Ensure that you use "old style TLS" and not STARTTLS, the latter won't work with HAProxy.

Otherwise, if you want clients to use STARTTLS configuration, then you have to configure HAProxy to proxy XMPP encrypted traffic (removing "ssl crt .." )