0

I'm posting here, because I'm trying to setting up HAProxy as reverse-proxy with SSL/TLS termination and I have the following error in logs :

Oct 17 12:10:03 localhost haproxy[2789]: xxx.xxx.xxx.xxx:33724 [17/Oct/2020:12:10:03.784] www-https www-https/<NOSRV> -1/-1/-1/-1/0 400 188 - - PR-- 1/1/0/0/0 0/0 "<BADREQ>"

And I don't understand why HAProxy is blocking the request .

Could you help me ?

This my haproxy.cfg :

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 5s
        user haproxy
        group haproxy
        daemon

        tune.ssl.default-dh-param 4096

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        option forwardfor
        option http_proxy
        timeout connect 5000
        timeout client  50000
        timeout server  5000 
        stats enable
        stats hide-version
        stats refresh 5s
        stats uri /hastats



frontend www-http
        bind *:80
        reqadd X-Forwarded-Proto:\ http
        default_backend www-backend

        # Test URI to see if its a letsencrypt request
        acl letsencrypt-acl path_beg /.well-known/acme-challenge/
        use_backend letsencrypt-backend if letsencrypt-acl


frontend www-https
        bind *:8000-9000 crt /etc/haproxy/certs/www.example.com.pem
        bind *:443 crt /etc/haproxy/certs/www.example.com.pem
        reqadd X-Forwarded-Proto:\ https
        default_backend www-backend


backend www-backend
        mode http
        http-request set-header X-Forwarded-For %[src]
        reqadd X-Forwarded-Proto:\ https
        option http-server-close
        balance roundrobin
        redirect scheme https if !{ ssl_fc }
        server web1 xxx.xxx.xxx.101:80 check
        server web2 xxx.xxx.xxx.102:80 check

backend letsencrypt-backend
        server letsencrypt 127.0.0.1:8080
1

In frontend www-https in bind line add ssl before crt. Without ssl it works as plain HTTP. So:

bind *:443 ssl crt /etc/haproxy/certs/www.example.com.pem
| | |
  • Thank you , you're right, I forgot to write ssl in this directive. But, I got the following error : 400 Bad request , and got always PR in logs, but for my www-backend/<NOSRV> : Oct 18 08:39:16 localhost haproxy[724]: 192.168.1.254:62597 [18/Oct/2020:08:39:16.543] www-https~ www-backend/<NOSRV> -1/-1/-1/-1/0 400 188 - - PR-- 2/2/0/0/3 0/0 "GET / HTTP/1.1" – outstore Oct 18 at 7:39
  • @outstore Please don't edit the question to a substantially different one. This site tries to collect questions/answers so that people can google them in future. If you applied an answer and situation progressed, please just ask a new question (even if the contents are mostly a copy). – kubanczyk Oct 18 at 9:22
  • Okay, I will revert the changes. – outstore Oct 18 at 10:01

Not the answer you're looking for? Browse other questions tagged or ask your own question.