Initialy i test with mode tcp and that works. The haproxy tcp passthru config is below:
frontend https_in
bind *:443
mode tcp
option forwardfor
option tcplog
log global
default_backend https_backend
backend https_backend
mode tcp
server s1 10.21.0.60:31390 check
server s2 10.21.0.169:31390 check
server s3 10.21.0.173:31390 check
How should a mode http configuration look like? I need to decrypt traffic, inject some headers (like forwarded-for) and encrypt it again, sending it to ssl istio ingress-gateway backend.
My configuration attempts were many (and unsuccessful) here is one snapshot:
frontend https_in
mode http
bind *:443 ssl crt /etc/haproxy/prod.pem crt /etc/haproxy/dev.pem crt /etc/haproxy/stg.pem no-sslv3
option http-server-close
option forwardfor
reqadd X-Forwarded-Proto:\ https
reqadd X-Forwarded-Port:\ 443
rspadd Strict-Transport-Security:\ max-age=15768000
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl acl_app1 req_ssl_sni -i mydomain.test
use_backend https_backend if acl_app1
backend https_backend
mode http
server s1 10.21.0.60:31390 check ssl verify none
In haproxy logs i see
haproxy[12734]: Server https_backend/s1 is DOWN, reason: Layer6 invalid response, info: "SSL handshake failure (Connection reset by peer)", check duration: 1ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
haproxy[12734]: Server https_backend/s1 is DOWN, reason: Layer6 invalid response, info: "SSL handshake failure (Connection reset by peer)", check duration: 1ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
haproxy[12734]: backend https_backend has no server available!
If i remove the check, and still try to query haproxy:
haproxy[13381]: https_in~ https_in/<NOSRV> -1/-1/-1/-1/0 503 213 - - SC-- 1/1/0/0/0 0/0 "GET / HTTP/1.1"
I cannot figure the SNI settings to pass from haproxy into istio to make it work.
I cannot find anything usefull in logs from envoyproxy and istio-ingressgateway on debug loglevel either.