ssl - Weird behavior/error trying to use HAProxy to forward requests to ELBs -


we have architecture have several apis on multiple hosts. each api sits behind aws elb. want put proxy in front route requests based on uri elb.

what have far works, 3 out of 10 requests result in following error (using curl, problem isn't curl):

curl: (35) unknown ssl protocol error in connection test-router.versal.com:-9847

i have feeling elb culprit. ssl terminated there.

here our haproxy config:

global   log 127.0.0.1   local0   log 127.0.0.1   local1 notice   maxconn 10240   user haproxy   group haproxy   daemon   debug   stats socket /var/run/haproxy.sock   log-send-hostname test-router.domain.com   description "haproxy on test-router.domain.com"  defaults   log     global   mode    http   option  httplog   option  dontlognull   retries 3   option redispatch   option forwardfor   option httpclose   option dontlognull   option tcpka   maxconn 10240   timeout connect 10000ms   timeout client 600000ms   timeout server 600000ms  frontend public   bind *:80   bind *:443   acl elb0 path_beg /elb0   acl elb1 path_beg /elb1   use_backend elb0 if elb0   use_backend elb1 if elb1    bind 0.0.0.0:443 ssl crt /etc/ssl/cert.pem no-sslv3 ciphers aes128+eecdh:aes128+edh  backend elb0   server server_vcat elb0.domain.com:443 ssl verify none  backend elb1   server server_laapi elb1.domain.com:443 ssl verify none

the ssl curl not terminated @ elb. terminated @ haproxy, in configuration...

bind 0.0.0.0:443 ssl crt /etc/ssl/cert.pem no-sslv3 ciphers aes128+eecdh:aes128+edh

...and entirely different ssl session established haproxy on connection elb:

server ... ssl verify none

an ssl problem elb not possibly propagated curl through haproxy in configuration.

the problem in haproxy configuration, here:

bind *:443

remove line. it's redundant (and incorrect).

you telling haproxy bind port 443 twice: once speaking ssl, , once not speaking ssl.

so, statistically, on approximately 50% of connection attempts, curl finds haproxy not speaking ssl on port 443 -- it's speaking http, , curl can't (and shouldn't) handle gracefully.

i believe (mis)configuration goes undetected haproxy, not because of actual bug, rather because of way things implemented in haproxy internals, related multi-process deployments , hot reloads, in case valid have haproxy bound same socket more once.


Comments

Post a Comment

Popular posts from this blog

How to understand 2 main() functions after using uftrace to profile the C++ program? -

i trying uftrace profile following simple c++ program: #include <iostream> class { public: a() {std::cout << "a created" << std::endl;} ~a() {std::cout << "a destroyed" << std::endl;} }; int main() { a; return 0; } the profile result this: # uftrace a.out created destroyed # duration tid function 2.026 [ 4828] | __cxa_atexit(); [ 4828] | main() { [ 4828] | __static_initialization_and_destruction_0() { 89.397 [ 4828] | std::ios_base::init::init(); 0.768 [ 4828] | __cxa_atexit(); 93.029 [ 4828] | } /* __static_initialization_and_destruction_0 */ 94.425 [ 4828] | } /* main */ [ 4828] | main() { [ 4828] | a::a() { 11.104 [ 4828] | std::operator <<(); 10.825 [ 4828] | std::basic_ostream::operator <<(); 24.514 [ 4828] | } /* a::a */ [ 4828] | a::~a() { 0.978 [ 4828] | ...
Read more

c# - Update a combobox from a presenter (MVP) -

i using mvp in project, new in mvp. have 2 comboboxes. when select option in combobox, combobox should filled new data. this action in presenter. view 'view1' in presenter, , introduced combobox1 , combobox2 properties in 'view1', because need 'datasource', 'displaymember', 'valuemember' , 'refresh()' in method below. but, when using pattern, enough send property like public string combobox2 { { return combobox1.selectedvalue.tosstring(); } } into presenter not whole combobox. how can solve problem? public void onselectedindexchangedcombobox1() { if (view1.combobox1.selectedindex == -1) { return; } datatable dt = tools.getdatatable("a path"); var query = (from o in dt.asenumerable() o.field<string>("afield") == farmerview.combobox1.selectedvalue.tostring() orderby o.field<string>("anotherfield") select...
Read more

How to put a lock and transaction on table using spring 4 or above using jdbcTemplate and annotations like @Transactional? -

i trying put lock on table while writing on table , if happened in between roll-back . trying convert below code lock table test_g1 read; lock table test_g write; -- begin; start transaction; insert test_g1 values(143); insert test_g values(145); select * test_g1; select * test_g; rollback; select * test_g; unlock tables; how convert above code @transactional spring jdbctemplate code? @transactional(rollbackfor={dataaccessexception.class}) public void test(){ jdbctemplate.execute("insert test1 (id, nam) values (4, 'a')"); throw new dataaccessexception("error") { }; } here trying throw error, insert statement should rollback it's not happening . thanks edit-1 attaching code , doing in jdbcdaoimpl.java , mentioned problem comment above test() . app.java package com.cgiri.javabrains.spring4; import org.springframework.beans.factory.annotation.autowired; import org.springframework.context.applic...
Read more