Cloudflare/HaProxy - Error 525 - SSL Handshake Failed

Hi - I’m having a very had time with getting Cloudflare to cooperate with my HAproxy.

I’m running pfsense 2.4.4 with HAproxy module version. .59_22
Behind pfsense I have an apache webserver configured for http.
I’d like HAproxy to do the SSL offloading and foward the request to internal webserver.
I’m getting Error 525 - SSL Handshake Failed.
I have a valid SSL cert for my domain issued from Let’s Encrypt
My SSL/TLS encryption mode is Full (strict) set within Cloudflare

My HAproxy config is the following:

# Automaticaly generated, dont edit manually.
# Generated on: 2020-01-21 10:32
global
	maxconn			1000
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	log-send-hostname		url.com-HA
	server-state-file /tmp/haproxy_server_state
	ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
	ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

	ssl-default-server-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
	ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend shared-frontend-WAN-and-LAN-merged
	bind			69.xxx.xxx.xxx:443 name 69.xxx.xxx.xxx:443   ssl crt-list /var/etc/haproxy/shared-frontend-WAN-and-LAN.crt_list
	bind			10.0.1.1:443 name 10.0.1.1:443   ssl crt-list /var/etc/haproxy/shared-frontend-WAN-and-LAN.crt_list
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	acl			ACL1	var(txn.txnhost) -m str -i url.com
	acl			ACL2	var(txn.txnhost) -m str -i www.url.com
	http-request set-var(txn.txnhost) hdr(host)
	use_backend url.com_ipv4  if  ACL1
	use_backend url.com_ipv4  if  ACL2

frontend http-to-https
	bind			69.xxx.xxx.xxx:80 name 69.xxx.xxx.xxx:80
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	redirect scheme https code 301 if !{ ssl_fc }

backend url.com_ipv4
	mode			http
	id			10102
	log			global
	option			log-health-checks
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS /
	server			url.com 10.0.1.158:80 id 10103 check inter 100

I’ve read the page linked here: Community Tip - Fixing Error 525: SSL handshake failed, however I’m not sure what exactly is causing error in my case.

Thanks for any help

This topic was automatically closed after 30 days. New replies are no longer allowed.