I have 3 web servers behind my firewall. They will have various SSL websites hosted on them and I'm port forwarding traffic through my firewall on port 443 to an HAProxy server which is handling all requests. I want to be able to manage all SSL certs on the webservers as 2 of 3 of them are managed by Virtualmin.
My Cloudflare configuration:
- SSL configuration is Full (Strict)
- All of the domains I am using are Proxied through Cloudflare and pointing to my IP.
My HaProxy Configuration:
global
log /dev/log local0
log /dev/log local1 debug
#log /var/log/haproxy.log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
#ca-base /etc/ssl/certs
#crt-base /etc/ssl/private
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
#ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
#ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
# Commented out SSL options because we expect that the host will have the cert.
defaults
log global
#mode tcp
option tcplog
#option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
#frontend http_in
# bind *:80
# mode http
# acl http ssl_fc,not
# http-request redirect scheme https if http
frontend localhost
bind *:443
#bind *:80
option tcplog
mode tcp
#default_backend vweb1
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend svr1 if { req.ssl_sni -i mail.example.com }
use_backend svr2 if { req.ssl_sni -i example.com }
use_backend svr2 if { req.ssl_sni -i cloud.example.com }
backend svr1
mode tcp
#option ssl-hello-chk
server vweb1 10.0.0.219:443 check ssl verify none
backend svr2
mode tcp
#option ssl-hello-chk
server vsmtp1 10.0.0.228:443 check ssl verify none
frontend stats
bind 10.0.0.241:8989
mode http
stats enable
stats uri /stats
stats realm HAProxy\ Statistics
stats auth admin:admin
Checking the configuration shows that this is valid.
I am using CloudFlare provided certificate on my web server(s).
If I bypass the HAProxy server by changing my port forward rule from the HAProxy server directly to one of the Webservers and turn Cloudflare into Flexible mode, everything works and the website on that server loads. Otherwise every request to any of my domains gets a pesky 525 error.
I've also tried a Let's Encrypt certificate with the same settings as well as a Self-Signed cert and putting Cloudflare into Full mode. No luck there.
According to the stats page every request does get forwarded to the correct server but no error logs are generated on the webservers or the HAProxy server.
Thank you for any ideas.
