Cloudflare Proxy to HAProxy w/ Origin getting 526

efaden · March 17, 2022, 7:53pm

So I decided to try to add Cloudflare proxy in front of my HAProxy setup. My HA Proxy setup is working perfectly using Let’s Encrypt certificates. I run two ports, 443 and 80 which just redirects to 443. What I did was to grab an origin certificate and then enabled proxy. I placed the origin certificate on haproxy and set that to the default on HAProxy. All seems good except that I’m getting a 526 error. I tried disabling the domain and checking the certificate. When I do that I get the origin certificate back. Looking at the log in haproxy I see an error saying ssl handshake failed from Cloudflare ips. But I can’t figure out why?

Any suggestions?

efaden · March 18, 2022, 6:51pm

Update, it works in full mode, but not full strict using the origin certificate.

sandro · March 18, 2022, 6:59pm

If it works without certificate validation, that means that your certificate is not properly configured. Of course, that’s an insecure setup.

I’d suggest you pause Cloudflare and check what certificate you get.

What’s the domain?

efaden · March 18, 2022, 7:07pm

I did pause it. And my server is returning the origin certificate. I can pm it to you, but don’t want to post it publicly.

The part that’s confusing me is that the origin certificate is the one installed. I’m guessing it’s done sort of setting on the haproxy frontend, but I have no idea what. It works fine with the origin server and chrome (obviously the cert is invalid)… And it worked fine with the letsencrypt certificate. There is something about haproxy that isn’t working correctly.

sandro · March 18, 2022, 7:07pm

I am afraid you cannot send private messages here. You can post it temporarily and then remove the posting.

efaden · March 18, 2022, 7:11pm

t is the host.

sandro · March 18, 2022, 7:12pm

All right, you can remove your posting.

sandro · March 18, 2022, 7:13pm

The IP address of that host does not happen to end in 31, does it?

efaden · March 18, 2022, 7:15pm

Nope. 81. But the normal 443 is a different server. I dstnat 2053 from Cloudflare ips

sandro · March 18, 2022, 7:17pm

Would you feel comfortable to post the IP address temporarily as well?

sandro · March 18, 2022, 7:17pm

All right.

efaden · March 18, 2022, 7:18pm

Like I said though… It’s only from Cloudflare. I can make it on 443 also if you want

sandro · March 18, 2022, 7:19pm

Which port are we talking about, 443 or 2053?

Also, have you locked down the machine? I can’t reach either port.

efaden · March 18, 2022, 7:20pm

Yes. It’s locked down. US only, 443 open. 443 from Cloudflare ips goes to 2053, 2053 externally is closed.

efaden · March 18, 2022, 7:20pm

Can open it up though if you want

efaden · March 18, 2022, 7:22pm

I can open it easily. Give me 2 minutes

sandro · March 18, 2022, 7:22pm

Never mind, got it already

sandro · March 18, 2022, 7:23pm

Currently I am getting a Let’s Encrypt certificate.

efaden · March 18, 2022, 7:23pm

It’s open on 2053

efaden · March 18, 2022, 7:23pm

So thoughts?