Hi - I’m having a very had time with getting Cloudflare to cooperate with my HAproxy.
I’m running pfsense 2.4.4 with HAproxy module version. .59_22
Behind pfsense I have an apache webserver configured for http.
I’d like HAproxy to do the SSL offloading and foward the request to internal webserver.
I’m getting Error 525 - SSL Handshake Failed.
I have a valid SSL cert for my domain issued from Let’s Encrypt
My SSL/TLS encryption mode is Full (strict) set within Cloudflare
My HAproxy config is the following:
# Automaticaly generated, dont edit manually.
# Generated on: 2020-01-21 10:32
global
maxconn 1000
stats socket /tmp/haproxy.socket level admin expose-fd listeners
gid 80
nbproc 1
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
log-send-hostname url.com-HA
server-state-file /tmp/haproxy_server_state
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000
frontend shared-frontend-WAN-and-LAN-merged
bind 69.xxx.xxx.xxx:443 name 69.xxx.xxx.xxx:443 ssl crt-list /var/etc/haproxy/shared-frontend-WAN-and-LAN.crt_list
bind 10.0.1.1:443 name 10.0.1.1:443 ssl crt-list /var/etc/haproxy/shared-frontend-WAN-and-LAN.crt_list
mode http
log global
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 30000
acl ACL1 var(txn.txnhost) -m str -i url.com
acl ACL2 var(txn.txnhost) -m str -i www.url.com
http-request set-var(txn.txnhost) hdr(host)
use_backend url.com_ipv4 if ACL1
use_backend url.com_ipv4 if ACL2
frontend http-to-https
bind 69.xxx.xxx.xxx:80 name 69.xxx.xxx.xxx:80
mode http
log global
option http-keep-alive
timeout client 30000
redirect scheme https code 301 if !{ ssl_fc }
backend url.com_ipv4
mode http
id 10102
log global
option log-health-checks
timeout connect 30000
timeout server 30000
retries 3
source ipv4@ usesrc clientip
option httpchk OPTIONS /
server url.com 10.0.1.158:80 id 10103 check inter 100
I’ve read the page linked here: Community Tip - Fixing Error 525: SSL handshake failed, however I’m not sure what exactly is causing error in my case.
Thanks for any help