I'm working with HAProxy 1.5.18 where I would like to keep the passthrough configuration for SSL requests but I would like to enable the sticky-session. This is an extract of my config and the problem with it is that the cookie is not set and I don't have any error trace.
Does someone have any idea on what the problem could be? It should be possible to set the cookie without SSL termination isn't it?
global
global
log 127.0.0.1 local2 info
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
#Enable/Disable server
stats socket /var/run/haproxy.sock mode 600 level admin
stats timeout 2m
user haproxy
group haproxy
daemon
defaults
defaults
mode http
log global
#get HTTP request log
option httplog
#timeout if backends do not reply
timeout connect 10s
#timeout on client side
timeout client 60s
#timeout on server side
timeout server 60s
#enable stats
listen stats *:8888
mode http
log global
stats enable
stats hide-version
stats refresh 30s
stats show-node
stats admin if TRUE
stats auth admin:*****
stats uri /stats
frontend HAProxy_Frontend
frontend HAProxy_Frontend
# listen multiple ports
bind *:80
bind *:443
reqadd X-Forwarded-Proto:\ https
mode tcp
option httplog
default_backend HAProxy_Backend_default
backend HAProxy_Backend_otcs
backend HAProxy_Backend_otcs
# balance with roundrobin
mode tcp
balance leastconn
cookie SERVER insert indirect nocache
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
# health-check on URL implementation
option httpchk GET /context/ping
option log-health-checks
http-check expect string true
# define backend servers
server SRV0009 xx.xxx.x.xxx:443 check check-ssl verify none cookie SRV0009 backup
server SRV0010 xx.xxx.x.xxx:443 check check-ssl verify none cookie SRV0010
server SRV0012 xx.xxx.x.xxx:443 check check-ssl verify none cookie SRV0012
errorfile 503 /etc/haproxy/errorfiles/503.html
It should be possible to set the cookie without SSL termination isn't it?
No, it should not! Without SSL termination you are talking about man in the middle attack on encrypted data. Cookie is HTTP header and as such is a part of encrypted payload.
In your config you use mode tcp
, so you can attempt stickiness based on TCP values, like IP or IP+port or switch to mode http
and SSL termination and then modify HTTP headers as much as you like, including stickiness based on cookies.
P.S. 1.5.18 was released at 2016-05-10, maybe it's time to update it :)