How to config SSL certificate for Jira and Confluence by HAProxy?

Raw Main February 28, 2020

Using HAProxy version: 2.1.3

I did setting in the /etc/haproxy/haproxy.cfg file:

frontend jira
# bind :::8080 v4v6
bind :::443 v4v6 ssl crt /home/user/ssl/server.pem
http-request redirect scheme https unless { ssl_fc }

default_backend jira

frontend confluence
# bind :::8090 v4v6
bind :::443 v4v6 ssl crt /home/user/ssl/server.pem
http-request redirect scheme https unless { ssl_fc }

default_backend confluence

backend jira
balance roundrobin
cookie JIRASESSIONID prefix nocache
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server jira1 [IPv6 IP]:8080 check cookie jira1
server jira2 [IPv6 IP]:8080 check cookie jira2

backend confluence
balance roundrobin
cookie CONFSESSIONID prefix nocache
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server confluence1 [IPv6 IP]:8090 check cookie confluence1
server confluence2 [IPv6 IP]:8090 check cookie confluence2

Before I add 443 setting, 8080 and 8090 bind worked well.

But in this case, when restart haproxy, got this error:

Job for haproxy.service failed because the control process exited with error code. See "systemctl status haproxy.service" and "journalctl -xe" for details.

When use journalctl -xe to see detail, got:

...
Feb 28 17:44:21 server systemd[1]: haproxy.service: control process exited, code=exited status=1
Feb 28 17:44:21 server haproxy[30436]: Errors found in configuration file, check it with 'haproxy check'.
Feb 28 17:44:21 server systemd[1]: Failed to start SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high
-- Subject: Unit haproxy.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit haproxy.service has failed.
--
-- The result is failed.
Feb 28 17:44:21 server systemd[1]: Unit haproxy.service entered failed state.
Feb 28 17:44:21 server sudo[30429]: pam_unix(sudo:session): session closed for user root
Feb 28 17:44:21 server systemd[1]: haproxy.service failed.
Feb 28 17:44:21 server polkitd[2570]: Unregistered Authentication Agent for unix-process:30430:138824114 (system bus name :1.76278,

Why it failed to start SYSV?

Now using IPv6, how to config it correctly?

---

I did Jira(8.6.1) configuration setting for <JIRA_INSTALL>/conf/server.xml:

Comment out:

<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false"/>

Uncomment:

<Connector port="8080" relaxedPathChars="[]|" relaxedQueryChars="[]|{}^&#x5c;&#x60;&quot;&lt;&gt;"
maxThreads="150" minSpareThreads="25" connectionTimeout="20000" enableLookups="false"
maxHttpHeaderSize="8192" protocol="HTTP/1.1" useBodyEncodingForURI="true" redirectPort="8443"
acceptCount="100" disableUploadTimeout="true" bindOnInit="false" secure="true" scheme="https"
proxyName="<subdomain>.<domain>.com" proxyPort="443"/>

Maybe it will work if set real proxyName.

1 answer

0 votes
Alexis Robert
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
February 28, 2020

Hi @Raw Main , 

 

I think you have an error because you're trying to bind port 443 for two different backends : HA Proxy can't know when it should send the requests to Jira or Confluence.

You should use the following condition in your frontend block for Confluence for example:

 acl url_confluence path_beg /confluence 

use_backend confluence if url_confluence

 and then do the same for Jira. You should then configure Jira and Confluence to use context path to add /jira or /confluence at the end of the URL, as described here : https://confluence.atlassian.com/jirakb/change-the-context-path-used-to-access-jira-server-225119408.html

 

You can have a look at this page where a solution is given at the end for Jira and Confluence using HA Proxy : https://discourse.haproxy.org/t/multiple-backend/4490/6

 

Let me know if this helps,

 

--Alexis

Raw Main February 28, 2020

@Alexis Robert 

Hi Alexis,

Thank you very much for your reply. It's very helpful.

One thing, I have to use subdomain as:

frontend jira.mysite.com
...

frontend confluence.mysite.com
...

 It's not

mysite.com/jira
mysite.com/confluence

How to config it in this case?

Alexis Robert
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
February 29, 2020

Hi @Raw Main , 

 

you will have to use the following syntax to route based on your subdomain :

# Define hosts 

acl host_jira hdr(host) -i jira.mysite.com
acl host_confluence hdr(host) -i confluence.mlysite.com


## figure out which one to use
use_backend jira_backend
if host_jira
use_backend confluence_backend
if host_confluence

 

Let me know if this helps, 

 

--Alexis

Raw Main February 29, 2020

Hi @Alexis Robert ,

I think you mean:

frontend http_https
bind *:443 ssl crt /home/user/ssl/server.pem
http-request redirect scheme https unless { ssl_fc }

acl host_jira hdr(host) -i jira.mysite.com
acl host_confluence hdr(host) -I. confluence.mlysite.com

use_backend jira if host_jira
use_backend confluence if host_confluence

backend jira
balance roundrobin
cookie JIRASESSIONID prefix nocache
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server jira1 [IPv6 IP]:8080 check cookie jira1
server jira2 [IPv6 IP]:8080 check cookie jira2

backend confluence
balance roundrobin
cookie CONFSESSIONID prefix nocache
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server confluence1 [IPv6 IP]:8090 check cookie confluence1
server confluence2 [IPv6 IP]:8090 check cookie confluence2

 But after I restart haproxy:

$ sudo systemctl restart haproxy

Again got error as:

Job for haproxy.service failed because the control process exited with error code. See "systemctl status haproxy.service" and "journalctl -xe" for details.

When check details use "journalctl -xe" , got:

...
-- The result is failed.
Mar 01 14:02:41 server systemd[1]: Unit haproxy.service entered failed state.
Mar 01 14:02:41 server systemd[1]: haproxy.service failed.
Mar 01 14:02:41 server polkitd[2570]: Unregistered Authentication Agent for unix-process:5802:154774153 (system bus name :1.85445,
Mar 01 14:02:41 server sudo[5801]: pam_unix(sudo:session): session closed for user root
Mar 01 14:02:48 server sudo[5822]: user : TTY=pts/0 ; PWD=/home/user/haproxy-2.1.3 ; USER=root ; COMMAND=/bin/vi /etc/h
Mar 01 14:02:48 server sudo[5822]: pam_unix(sudo:session): session opened for user root by user(uid=0)
Mar 01 14:02:56 server sudo[5822]: pam_unix(sudo:session): session closed for user root
Mar 01 14:02:58 server sudo[5831]: user : TTY=pts/0 ; PWD=/home/user/haproxy-2.1.3 ; USER=root ; COMMAND=/bin/systemctl
Mar 01 14:02:58 server sudo[5831]: pam_unix(sudo:session): session opened for user root by user(uid=0)
Mar 01 14:02:58 server polkitd[2570]: Registered Authentication Agent for unix-process:5833:154775818 (system bus name :1.85448 [/u
Mar 01 14:02:58 server systemd[1]: Starting SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high availa
-- Subject: Unit haproxy.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit haproxy.service has begun starting up.
Mar 01 14:02:58 server haproxy[5839]: Enter PEM pass phrase:
Mar 01 14:02:58 server haproxy[5839]: [ALERT] 060/140258 (5843) : parsing [/etc/haproxy/haproxy.cfg:64] : 'bind *:443' : unable to
Mar 01 14:02:58 server haproxy[5839]: [ALERT] 060/140258 (5843) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
Mar 01 14:02:58 server haproxy[5839]: [ALERT] 060/140258 (5843) : Fatal errors found in configuration.
Mar 01 14:02:58 server haproxy[5839]: Errors found in configuration file, check it with 'haproxy check'.
Mar 01 14:02:58 server systemd[1]: haproxy.service: control process exited, code=exited status=1
Mar 01 14:02:58 server systemd[1]: Failed to start SYSV: HA-Proxy is a TCP/HTTP reverse proxy which is particularly suited for high
-- Subject: Unit haproxy.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit haproxy.service has failed.
--
-- The result is failed.
Mar 01 14:02:58 server systemd[1]: Unit haproxy.service entered failed state.
Mar 01 14:02:58 server systemd[1]: haproxy.service failed.
Mar 01 14:02:58 server sudo[5831]: pam_unix(sudo:session): session closed for user root
Mar 01 14:02:58 server polkitd[2570]: Unregistered Authentication Agent for unix-process:5833:154775818 (system bus name :1.85448,

It shown:

parsing [/etc/haproxy/haproxy.cfg:64] : 'bind *:443' : unable to

Usually it because of install HAProxy without OpenSSH. So I tried to reinstall haproxy by source:

make TARGET=linux-glibc USE_OPENSSL=1 USE_PCRE=1 USE_ZLIB=1
sudo make install

Then I can find OpenSSL there:

$ haproxy -vv | grep OpenSSL
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2

I run this check details follow https://discourse.haproxy.org/t/haproxy-not-starting-with-ssl-configuration/2330 :

haproxy -c -f haproxy.cfg

It let me input phrase:

Enter PEM pass phrase:

I only have a .csr file and a .pem file(Maybe they aren't created by OpenSSL). I don't know the phrase.
How to use it correctly?

Adam Hagen February 22, 2024

If anyone runs across this post in the future I wanted to add the probable fix. I'd wager that selinux was blocking haproxy from binding to 443. I only post this because the changes Alexis pointed out and made to the haproxy.cfg definitely would've stopped haproxy from starting as well.

If your config checks out with 'haproxy -c -f /etc/haproxy/haproxy.cfg' but the service fails to start on a system with selinux, it's selinux.

Suggest an answer

Log in or Sign up to answer