• 8

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191


File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Unable to configure haproxy with ssl

I want to make my server ssl protected, it has two parts one for website and another for application.

to balance them we have used haproxy. Now we want to secure this haproxy. I have installed the certificates and key files

While configuring haproxy.cfg as follow :

frontend https
bind    *:443 ssl crt /etc/ssl/ssl.key/myserver.key /etc/ssl/certs/www_appointpress_com.ca-bundle /etc/ssl/certs/somefile.crt
acl hari path_beg /customers
acl css path_beg /assets
reqadd X-Forwarded-Proto:\ https
default_backend appointpress_site

while restarting haproxy I am getting error like :

bind only supports transparent ...... options.

How can I resolve this error

Try this , in at least this version (own built)

root@server5:~# haproxy -vv

HA-Proxy version 1.5-dev17 2012/12/28
Copyright 2000-2012 Willy Tarreau <w@1wt.eu>

Build options :
  TARGET  = linux2628
  CPU     = native
  CC      = gcc
  CFLAGS  = -O2 -march=native -g -fno-strict-aliasing

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version :
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Then try a configuration of this kind in haproxy

listen ssl_relay
    # this only works with 1.5 haproxy, it accepts multiple SSL en sends it 
    # off to the correct backend which does the SSL termination.
    mode tcp
    balance roundrobin
    option tcplog
    option socket-stats
    # option ssl-hello-chk  -> This is not be needed anymore, in fact, 
    # it needs to be off

    # maximum SSL session ID length is 32 bytes.
    stick-table type binary len 32 size 30k expire 30m

    # make sure we cover type 1 (fallback), although chances are it will
    # not route correctly, it will terminate on ssl
    acl clienthello req_ssl_hello_type 1
    acl serverhello rep_ssl_hello_type 2

    # use tcp content accepts to detects ssl client and server hello.
    tcp-request inspect-delay 5s
    tcp-request content accept if clienthello

    # no timeout on response inspect delay by default.
    tcp-response content accept if serverhello

    # SSL session ID (SSLID) may be present on a client or server hello.
    # Its length is coded on 1 byte at offset 43 and its value starts
    # at offset 44.

    # Match and learn on request if client hello.
    stick on payload_lv(43,1) if clienthello

    # Learn on response if server hello.
    stick store-response payload_lv(43,1) if serverhello

    # intercept incoming TLS requests based on the SNI field
    use-server xtp2_83 if { req_ssl_sni -i proudsslsite.com }
    use-server xtp2_83 if { req_ssl_sni -i www.proudsslsite.com }

    use-server xtp2_84 if { req_ssl_sni -i myothersecuremasterpiece.net }
    use-server xtp2_84 if { req_ssl_sni -i www.myothersecuremasterpiece.net } 

    server xtp2_83 weight 0
    server xtp2_84 weight 0

    # all the rest is forwarded to this server
    server xtp_default check inter 10000 rise 2 fall 2

You just need to terminate the SSL on your webservers inside. So encrypt traffic all the way. This works for me.

  • 0
Reply Report
    • While the supplied config might be helpful to the OP. your not answering the question or educating him. whats the cause of the OPs error and how does your config fix it?
      • 1
    • It's been 2 years. I'm sure he's either given up or succeeded. Your comment doesn't really add value towards a solution. His problem is he's using a version that is 1.4 (since he's not giving me the needed information before me typing my answer, it's was hard to determine what causes this at the time). Hence me mentioning that it works with 1.5. I expect him to at least know how to figure this out using this information. You should re-read all comments and see that I'm adding the needed information in order to compile haproxy himself.

I know that doesn't answer really to your question but you could try to replace HAproxy by Pound which is pretty easy to configure over HTTPS and it will do the same as HAproxy in your case.

  • -4
Reply Report

Trending Tags