0

I have an old server which runs a Tomcat service on port 8080. For various reasons (including securing the access from clients) I had to set up a HAProxy server in front of it, secured with a SSL cert.

This is the HAProxy relevant config:

frontend myservice
    mode    tcp
    option  tcplog
    option  logasap
    log     global
    option  tcpka
    bind    10.10.10.10:80
    bind    10.10.10.10:443 ssl crt /etc/ssl/haproxy/myservice.example.org.pem
    acl secure dst_port eq 443
    http-response add-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;"
    http-response replace-header Set-Cookie (.*) \1;\ Secure if secure
    use_backend bck_myservice if { hdr(Host) -i myservice.example.org myservice }
    default_backend bck_deny

backend bck_myservice
    mode     tcp
    balance  leastconn
    option   prefer-last-server
    server   oldserver.example.org oldserver.example.org:8080 weight 1 check port 8080 inter 2000 rise 2 fall 5 ssl verify none

backend bck_deny
    mode http
    http-request deny

10.10.10.10 is the VIP of the new service, mapped to myservice.example.org.

Accessing http://oldserver.example.org:8080 works fine as usual.

The problem: https://myservice.example.org results in an error "403 Forbidden". Accessing that URL does not seem to hit the Tomcat backend, as there is no trace of it in the Tomcat logs. (Note: the HAProxy config used to have mode http but it resulted in an error "503 Service Unavailable".)

Improve this question

1 Answer 1

Reset to default
0

It turns out the issue was caused by the option that disables SSL certificate verification in the backend: ssl verify none.

This is the corrected, working config:

frontend myservice
    mode    tcp
    option  tcplog
    option  logasap
    log     global
    option  tcpka
    bind    10.10.10.10:80
    bind    10.10.10.10:443 ssl crt /etc/ssl/haproxy/myservice.example.org.pem
    acl secure dst_port eq 443
    http-response add-header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;"
    http-response replace-header Set-Cookie (.*) \1;\ Secure if secure
    use_backend bck_myservice if { hdr(Host) -i myservice.example.org myservice }
    default_backend bck_deny

backend bck_myservice
    mode     tcp
    balance  leastconn
    option   prefer-last-server
    server   oldserver.example.org oldserver.example.org:8080 weight 1 check port 8080 inter 2000 rise 2 fall 5

backend bck_deny
    mode http
    http-request deny
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.