HTTPS and HTTP over the same port in haproxy









up vote
0
down vote

favorite












I have a server with a Rest API behind haproxy which listens to port 5000. The haproxy config configures port 5000 to accept HTTPS connections from the client and then forwards the message to the server. This works correctly and here is the config for that port:



frontend service-front-1
bind 192.168.122.3:5000 ssl crt /etc/ssl/private/haproxy.pem ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
option httplog
option forwardfor except 127.0.0.0/8
option http-server-close
reqadd X-Forwarded-Proto: https
mode http
default_backend service-back

backend service-back
mode http
balance leastconn
stick store-request src
stick-table type ip size 256k expire 30m
option forwardfor
option httplog
option httpchk HEAD / HTTP/1.0rnUser-agent: osa-haproxy-healthcheck

server controller00_container-442ea37a 172.29.237.76:5000 check port 5000 inter 12000 rise 1 fall 1


In the client side, I have now an application which is unable to do HTTPS and requires to connect to the server. It tries with HTTP to port 5000 but as haproxy is expecting HTTPS for that port, things fail and I get:




Unable to establish connection ('Connection aborted.', BadStatusLine("''",))




Unfortunately, I cannot remove the HTTPS capabilities of port 5000 because some applications are expecting that. So, could I have both capabilities (HTTPS and HTTP) on port 5000? I tried by just adding another front with this config:



frontend service-front-2
bind 192.168.122.3:5000
option httplog
option forwardfor except 127.0.0.0/8
option http-server-close
mode http
default_backend service-back


The result is that it works sometimes. It seems to me that haproxy randomly selects one of the two frontends that define port 5000 and if it is the one that the client expects things work










share|improve this question

























    up vote
    0
    down vote

    favorite












    I have a server with a Rest API behind haproxy which listens to port 5000. The haproxy config configures port 5000 to accept HTTPS connections from the client and then forwards the message to the server. This works correctly and here is the config for that port:



    frontend service-front-1
    bind 192.168.122.3:5000 ssl crt /etc/ssl/private/haproxy.pem ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    option httplog
    option forwardfor except 127.0.0.0/8
    option http-server-close
    reqadd X-Forwarded-Proto: https
    mode http
    default_backend service-back

    backend service-back
    mode http
    balance leastconn
    stick store-request src
    stick-table type ip size 256k expire 30m
    option forwardfor
    option httplog
    option httpchk HEAD / HTTP/1.0rnUser-agent: osa-haproxy-healthcheck

    server controller00_container-442ea37a 172.29.237.76:5000 check port 5000 inter 12000 rise 1 fall 1


    In the client side, I have now an application which is unable to do HTTPS and requires to connect to the server. It tries with HTTP to port 5000 but as haproxy is expecting HTTPS for that port, things fail and I get:




    Unable to establish connection ('Connection aborted.', BadStatusLine("''",))




    Unfortunately, I cannot remove the HTTPS capabilities of port 5000 because some applications are expecting that. So, could I have both capabilities (HTTPS and HTTP) on port 5000? I tried by just adding another front with this config:



    frontend service-front-2
    bind 192.168.122.3:5000
    option httplog
    option forwardfor except 127.0.0.0/8
    option http-server-close
    mode http
    default_backend service-back


    The result is that it works sometimes. It seems to me that haproxy randomly selects one of the two frontends that define port 5000 and if it is the one that the client expects things work










    share|improve this question























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      I have a server with a Rest API behind haproxy which listens to port 5000. The haproxy config configures port 5000 to accept HTTPS connections from the client and then forwards the message to the server. This works correctly and here is the config for that port:



      frontend service-front-1
      bind 192.168.122.3:5000 ssl crt /etc/ssl/private/haproxy.pem ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
      option httplog
      option forwardfor except 127.0.0.0/8
      option http-server-close
      reqadd X-Forwarded-Proto: https
      mode http
      default_backend service-back

      backend service-back
      mode http
      balance leastconn
      stick store-request src
      stick-table type ip size 256k expire 30m
      option forwardfor
      option httplog
      option httpchk HEAD / HTTP/1.0rnUser-agent: osa-haproxy-healthcheck

      server controller00_container-442ea37a 172.29.237.76:5000 check port 5000 inter 12000 rise 1 fall 1


      In the client side, I have now an application which is unable to do HTTPS and requires to connect to the server. It tries with HTTP to port 5000 but as haproxy is expecting HTTPS for that port, things fail and I get:




      Unable to establish connection ('Connection aborted.', BadStatusLine("''",))




      Unfortunately, I cannot remove the HTTPS capabilities of port 5000 because some applications are expecting that. So, could I have both capabilities (HTTPS and HTTP) on port 5000? I tried by just adding another front with this config:



      frontend service-front-2
      bind 192.168.122.3:5000
      option httplog
      option forwardfor except 127.0.0.0/8
      option http-server-close
      mode http
      default_backend service-back


      The result is that it works sometimes. It seems to me that haproxy randomly selects one of the two frontends that define port 5000 and if it is the one that the client expects things work










      share|improve this question













      I have a server with a Rest API behind haproxy which listens to port 5000. The haproxy config configures port 5000 to accept HTTPS connections from the client and then forwards the message to the server. This works correctly and here is the config for that port:



      frontend service-front-1
      bind 192.168.122.3:5000 ssl crt /etc/ssl/private/haproxy.pem ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
      option httplog
      option forwardfor except 127.0.0.0/8
      option http-server-close
      reqadd X-Forwarded-Proto: https
      mode http
      default_backend service-back

      backend service-back
      mode http
      balance leastconn
      stick store-request src
      stick-table type ip size 256k expire 30m
      option forwardfor
      option httplog
      option httpchk HEAD / HTTP/1.0rnUser-agent: osa-haproxy-healthcheck

      server controller00_container-442ea37a 172.29.237.76:5000 check port 5000 inter 12000 rise 1 fall 1


      In the client side, I have now an application which is unable to do HTTPS and requires to connect to the server. It tries with HTTP to port 5000 but as haproxy is expecting HTTPS for that port, things fail and I get:




      Unable to establish connection ('Connection aborted.', BadStatusLine("''",))




      Unfortunately, I cannot remove the HTTPS capabilities of port 5000 because some applications are expecting that. So, could I have both capabilities (HTTPS and HTTP) on port 5000? I tried by just adding another front with this config:



      frontend service-front-2
      bind 192.168.122.3:5000
      option httplog
      option forwardfor except 127.0.0.0/8
      option http-server-close
      mode http
      default_backend service-back


      The result is that it works sometimes. It seems to me that haproxy randomly selects one of the two frontends that define port 5000 and if it is the one that the client expects things work







      https haproxy






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 10 at 15:28









      M. Buil

      769




      769



























          active

          oldest

          votes











          Your Answer






          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "1"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53240430%2fhttps-and-http-over-the-same-port-in-haproxy%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown






























          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.





          Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


          Please pay close attention to the following guidance:


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53240430%2fhttps-and-http-over-the-same-port-in-haproxy%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Use pre created SQLite database for Android project in kotlin

          Darth Vader #20

          Ondo