Search code examples
sslnginxhaproxy

Forward SSL traffic and authentication certificates through HAProxy

I have an nginx from my client where I can POST successfully with:

curl -v --cacert ca.crt --cert client.crt --key client.key -POST https://nginx:8443/api/ -H 'Content-Type: application/json' -H 'cache-control: no-cache' -d@test.json

Now I installed an haproxy in front of nginx and I'm trying to do a POST the same way, unsuccessful:

curl -v --cacert ca.crt --cert client.crt --key client.key -POST http://haproxy:8443/api/ -H 'Content-Type: application/json' -H 'cache-control: no-cache' -d@test.json

Error:

 <center>The plain HTTP request was sent to HTTPS port</center>
 <hr><center>nginx</center>

Here is my haproxy configuration:

global
  log         127.0.0.1 local2
  chroot      /var/lib/haproxy
  pidfile     /var/run/haproxy.pid
  maxconn     4000
  user        haproxy
  group       haproxy
  daemon
  stats socket /var/lib/haproxy/stats

defaults
  mode                    tcp
  log                     global
  option                  tcplog
  option                  dontlognull
  option http-server-close
  option forwardfor       except 127.0.0.0/8
  option                  redispatch
  retries                 3
  timeout http-request    10s
  timeout queue           1m
  timeout connect         10s
  timeout client          1m
  timeout server          1m
  timeout http-keep-alive 10s
  timeout check           10s
  maxconn                 3000

frontend  main *:8443
  acl url_static       path_beg       -i /static /images /javascript /stylesheets
  acl url_static       path_end       -i .jpg .gif .png .css .js
  use_backend static          if url_static
  default_backend             app

backend static
  balance     roundrobin
  server      static 127.0.0.1:8443 

backend app
  mode       tcp
  balance     roundrobin
  server  nginx nginx01:8443

I want to forward SSL traffic through HAProxy and pass the certificates for authentication to nginx. I know it doesn't make any sense to have two LBs but I can't modify nginx and the api server behind, but the clients will be internal. As you can see at this point I'm able to reach nginx but haproxy doesn't pass the certificates and keys from the request to nginx backend. Am I missing something? Is this something that I can achieve?

ps: If I'm setting 'ssl verify none' at backend, I'm getting 'No required SSL certificate was sent'. If I'm setting 'send-proxy' at backend, I'm getting '400 Bad Request' from nginx.

Solution

  • the solution implemented was with SS/TLS pass-through from https://www.haproxy.com/documentation/haproxy/deployment-guides/tls-infrastructure/ Setting both frontend and backend to mode tcp I was able to pass the certificates and nginx validate and made the authentication.