Setting up HAPROXY in SSL pass through mode.

[kvramana]

I need HAPROXY to be setup not in SSL Termination mode but in pass through mode. It should pass an incoming HTTPS request, in pass through mode only, onto its backend services.

However, i tried several environment variable settings specified in https://github.com/docker/dockercloud-haproxy wiki and found none of them startup HAPROXY in SSL passthrough mode.

Please let me know if you have any information.

[kvramana]

Specifically, i want my HAPROXY to be running in SSL pass through over a backend. Outside, Docker, id' have done

backend default_service
     mode tcp

But i don't see a hook or environment variable to add to my Docker compose file for achieving TCP mode for my backend. Is there such an environment variable?

[kvramana]

For my frontend, i used EXTRA_FRONTEND_SETTINGS_443=mode tcp to set its mode to tcp but didn't find equivalent for backend.

[samuelgiles]

What about the MODE environment variable? If you have that set to tcp it should work: https://github.com/docker/dockercloud-haproxy#user-content-global-and-default-settings-of-haproxy

[kvramana]

Without mode in below snippet, i get a browser response of 502 Bad Gateway - The server returned an invalid or incomplete response.

With mode in below snippet, i get a browser response of localhost didn’t send any data.

I get backend response only If i turn-on backend helloworld nodejs port, and reaching directly on its backend port bypassing fronting haproxy from browser.

  # The HAPROXY service to provide high-availability, load balancing and proxying to NODEJS service.
  svc_haproxy:
    image: dockercloud/haproxy
    depends_on:
      - svc_nodejs_helloworld
    links:
      - svc_nodejs_helloworld
    environment:
      - DOCKER_TLS_VERIFY
      - DOCKER_HOST
      - DOCKER_CERT_PATH
      - CERT_FOLDER=/certs
      - EXTRA_FRONTEND_SETTINGS_80=mode tcp
      - EXTRA_FRONTEND_SETTINGS_443=mode tcp
#      - MODE=tcp # Did not work, i see a "localhost didn’t send any data" response in browser.
    volumes:
      - $PWD/tls/pem:/certs
      - /var/run/docker.sock:/var/run/docker.sock
    ports:
      - 80:80
      - 443:443
    networks:
      - nimnet

[kvramana]

Or else, i need to set my own haproxy.cfg from outside container into inside container. That way, the mode it set to tcp on default backend service and haproxy container simply loads developer supplied haproxy.cfg file. However, i did not find a way to neither:

• load developer supplied haproxy.cfg file into haproxy container or
• change mode to tcp on backend service.

[kvramana]

BTW, i am using a self-signed certificate and not a commercial CA authority signed certificate.

[samuelgiles]

Both those errors sound very odd.

• If you've got the MODE environment variable in place whats the output of: curl -v IP_OF_HAPROXY_NODE?
• Does the HAProxy log show any signs of an error?
• What does the stats page of the HAProxy instance display? (Navigate to http://IP_OF_HAPROXY_NODE:1936 to see the stats page)

[tifayuki]

If you don't terminate SSL at proxy level, haproxy knows nothing about the HTTP headers. As a result, you can only run haproxy in TCP mode.

To do this, simply add TCP_PORTS=443 in your application service will work.