Search code examples
sslload-balancinghaproxy

Sticky session and ssl passthrough


I'm working with HAProxy 1.5.18 where I would like to keep the passthrough configuration for SSL requests but I would like to enable the sticky-session. This is an extract of my config and the problem with it is that the cookie is not set and I don't have any error trace.

Does someone have any idea on what the problem could be? It should be possible to set the cookie without SSL termination isn't it?

global

global
    log         127.0.0.1 local2 info
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid

    #Enable/Disable server
    stats socket /var/run/haproxy.sock mode 600 level admin
    stats timeout 2m

    user        haproxy
    group       haproxy

    daemon

defaults

defaults
    mode               http
    log                global

    #get HTTP request log
    option             httplog

    #timeout if backends do not reply
    timeout connect    10s

    #timeout on client side
    timeout client     60s

    #timeout on server side
    timeout server     60s

    #enable stats
    listen  stats   *:8888
    mode            http
    log             global

    stats enable
    stats hide-version
    stats refresh 30s
    stats show-node
    stats admin if TRUE
    stats auth admin:*****
    stats uri  /stats

frontend HAProxy_Frontend

frontend HAProxy_Frontend

    # listen multiple ports
    bind *:80
    bind *:443
    reqadd X-Forwarded-Proto:\ https
    mode tcp
    option httplog

    default_backend    HAProxy_Backend_default

backend HAProxy_Backend_otcs


backend HAProxy_Backend_otcs

    # balance with roundrobin
    mode               tcp
    balance            leastconn
    cookie SERVER insert indirect nocache
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request set-header X-Forwarded-Proto http if !{ ssl_fc }

    # health-check on URL implementation
    option httpchk GET /context/ping
    option log-health-checks
    http-check expect string true

    # define backend servers
    server             SRV0009 xx.xxx.x.xxx:443 check check-ssl verify none cookie SRV0009 backup
    server             SRV0010 xx.xxx.x.xxx:443 check check-ssl verify none cookie SRV0010
    server             SRV0012 xx.xxx.x.xxx:443 check check-ssl verify none cookie SRV0012

    errorfile 503 /etc/haproxy/errorfiles/503.html


Solution

  • It should be possible to set the cookie without SSL termination isn't it?

    No, it should not! Without SSL termination you are talking about man in the middle attack on encrypted data. Cookie is HTTP header and as such is a part of encrypted payload.
    In your config you use mode tcp, so you can attempt stickiness based on TCP values, like IP or IP+port or switch to mode http and SSL termination and then modify HTTP headers as much as you like, including stickiness based on cookies.

    P.S. 1.5.18 was released at 2016-05-10, maybe it's time to update it :)