Chef Server HA with haproxy


#1

I'm trying to setup Chef Server HA using a load balancer (haproxy) for the two front ends.

I have my own certs (I created a CA for home and my laptop has the root cert installed so my certs are working and I can sign whatever certs I want)
I'm just not sure how to setup haproxy to properly work with Chef Server HA.
I tried this:

frontend haproxy_inbound
bind *:443 ssl crt /etc/ssl/chefha.pem
mode tcp
option tcplog
default_backend haproxy_chef
backend haproxy_chef
mode tcp
balance source
option ssl-hello-chk
server chef-ha01.mydomain.local 192.168.1.28:443 check
server chef-ha02.mydomain.local 192.168.1.29:443 check

and it yields the following error:

400 Bad Request
The plain HTTP request was sent to HTTPS port

digging in on the error, I found that haproxy is sending non-ssl data to chef servers and the way to solve the issue is by using "ssl verify none" in the backend for each server, however, if I do that. I receive an even nastier error:

Firefox says:
Error code: SEC_ERROR_UNKNOWN_ISSUER
Chrome says:
chefha.mydomain.local didn’t send any data.
ERR_EMPTY_RESPONSE

So I'm stuck here...
does anyone had experience with haproxy as a load balancer for Chef HA?
I also tried to disable HTTP>HTTPS redirection in Chef but that didn't seem to be the issue either


#2

Hi @ezequiell,

Try to add "http-request add-header X-Proto https if { ssl_fc }" in your options.

Best regards,
@gsantos


#3

Thank you!

this did the trick and works well for SSL passthrough!


#4

Your Welcome!