/munetakaJupyterHub/Computer/2024/HAProxy/introduction.md

§2024-06-06

Client ---> HTTPS ---> to HAProxy ---> HTTP ---> BackendServers:

In this setup, HAProxy handles the SSL termination. This means it decrypts the HTTPS traffic from the clients and forwards the requests to the backend servers using HTTP.

Example configuration snippet:

frontend https_frontend
    bind *:443 ssl crt /path/to/your/cert.pem
    default_backend http_backends

backend http_backends
    server backend1 192.168.1.1:80 check
    server backend2 192.168.1.2:80 check

Client ---> HTTPS ---> to HAProxy ---> HTTPS ---> BackendServers:

Here, HAProxy passes through the HTTPS traffic to the backend servers without decrypting it. This is also known as SSL pass-through.

Example configuration snippet:

frontend https_frontend
    bind *:443
    mode tcp
    default_backend https_backends

backend https_backends
    mode tcp
    server backend1 192.168.1.1:443 check
    server backend2 192.168.1.2:443 check

Client ---> HTTPS ---> to HAProxy ---> HTTPS(re-encryption) ---> BackendServers:HTTPS from client to HAProxy, HTTPS from HAProxy to backend servers with re-encryption:

In this setup, HAProxy decrypts the HTTPS traffic from the clients, processes it, and then re-encrypts it before sending it to the backend servers.

Example configuration snippet:

frontend https_frontend
    bind *:443 ssl crt /path/to/your/cert.pem
    default_backend https_backends

backend https_backends
    server backend1 192.168.1.1:443 ssl check
    server backend2 192.168.1.2:443 ssl check

Question, what is check, ssl check and ssl verify none keywords differences after backend server statement?

This is my partial haproxy.cfg running on munetaka.me

# Caddy Server
frontend front_https_caddy_h2jammy_43889
     bind *:43889 ssl crt /etc/letsencrypt/live/munetaka.me/haproxy.pem
     default_backend back_https_caddy_h2jammy_43889

 backend back_https_caddy_h2jammy_43889
     # with ssl verify none, will cause 503 service Unavailable
     server h2jammy_server h2Jammy.yushei.net:43889 check

While https://h2Jammy.yushei.net:43889 is working

When https://munetaka.me:43889 will get Client sent an HTTP request to an HTTPS server.

This is my partial haproxy.cfg running on https://munetaka.me

# 2024-06-05 add nextCLoud 
frontend front_https_nextCloud_45101
    bind *:45101 ssl crt /etc/letsencrypt/live/munetaka.me/haproxy.pem
    default_backend back_http_nextCloud_45101

backend  back_http_nextCloud_45101
    server nextcloud_server hc4Noble.yushei.net:45101 is check
```

http://hc4Noble.yushei.net:45101 is running well.  When load balancing from https:munetaka.me:45101 will be changed to http:munetaka.me:45101 

And error log

```
Jun  6 15:27:08 pi3HAProxy haproxy[13299]: 210.242.152.235:35078 [06/Jun/2024:15:27:08.349] front_https_443~ back_http_nginx_8088/nginx_server 0/0/0/1/1 304 165 - - ---- 1/1/0/0/0 0/0 "GET https://munetaka.me/ HTTP/2.0"
Jun  6 15:27:10 pi3HAProxy haproxy[13299]: 210.242.152.235:51124 [06/Jun/2024:15:27:10.366] front_https_nextCloud_45101~ back_http_nextCloud_45101/nextcloud_server 0/0/2/310/312 302 801 - - ---- 2/1/0/0/0 0/0 "GET https://munetaka.me:45101/ HTTP/2.0"
Jun  6 15:27:11 pi3HAProxy haproxy[13299]: 210.242.152.235:51130 [06/Jun/2024:15:27:11.412] front_https_nextCloud_45101/1: SSL handshake failure (error:0A00009C:SSL routines::http request)
Jun  6 15:27:12 pi3HAProxy haproxy[13299]: 210.242.152.235:51142 [06/Jun/2024:15:27:12.485] front_https_nextCloud_45101/1: SSL handshake failure (error:0A00009C:SSL routines::http request)
Jun  6 15:27:12 pi3HAProxy haproxy[13299]: 210.242.152.235:51164 [06/Jun/2024:15:27:12.531] front_https_nextCloud_45101/1: SSL handshake failure (error:0A00009C:SSL routines::http request)
Jun  6 15:27:17 pi3HAProxy haproxy[13299]: 210.242.152.235:51154 [06/Jun/2024:15:27:12.531] front_https_nextCloud_45101/1: SSL handshake failure (error:0A00009C:SSL routines::http request)
Jun  6 15:27:17 pi3HAProxy haproxy[13299]: 210.242.152.235:36930 [06/Jun/2024:15:27:17.567] front_https_nextCloud_45101/1: SSL handshake failure (error:0A00009C:SSL routines::http request)
Jun  6 15:27:17 pi3HAProxy haproxy[13299]: 210.242.152.235:36938 [06/Jun/2024:15:27:17.583] front_https_nextCloud_45101/1: SSL handshake failure (error:0A00009C:SSL routines::http request)