Discussion:
haproxy used to redirect sql server with ssl
Marcos Gonzalez
2018-10-29 15:42:51 UTC
Permalink
Hi list

I'm using haproxy to redirect traffic directly to backend server. We are
looking how to load balance sql servers directly, and this works, but I
don't know how to add ssl support.

I'm using this config setup and works fine

listen mysql-cluster

bind 0.0.0.0:3307 ssl crt /etc/ssl/certs/cert.pem

mode tcp

option mysql-check user admin

server mysql1 192.168.1.110:3307

The only point where is failing is justly ssl support. Can someone help me
with code to see where is the problem?

Line around ssl only works If remove ssl cert:

bind 0.0.0.0:3307 # ssl crt /etc/ssl/certs/cert.pem

Haproxy only needs to connects to a beckend server with mysql using port
3307 and our objective is to enable ssl support
in global section we have

ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

I can't see where can be the problem, any idea?

Thanks

--
Igor Cicimov
2018-10-30 06:27:59 UTC
Permalink
Post by Marcos Gonzalez
Hi list
I'm using haproxy to redirect traffic directly to backend server. We are looking how to load balance sql servers directly, and this works, but I don't know how to add ssl support.
I'm using this config setup and works fine
listen mysql-cluster
bind 0.0.0.0:3307 ssl crt /etc/ssl/certs/cert.pem
mode tcp
option mysql-check user admin
server mysql1 192.168.1.110:3307
The only point where is failing is justly ssl support. Can someone help me with code to see where is the problem?
bind 0.0.0.0:3307 # ssl crt /etc/ssl/certs/cert.pem
Haproxy only needs to connects to a beckend server with mysql using port 3307 and our objective is to enable ssl support
in global section we have
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
I can't see where can be the problem, any idea?
Thanks
In tcp mode you will have to enable ssl in the mysql servers as it is
pass-through.
Marcos Gonzalez
2018-10-31 08:45:34 UTC
Permalink
Hi

haproxy can connect how backend to sql server and you can use ssl to make
this connection. I need to use haproxy to forward connection to AWS using
MYSQL

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_ConnectToInstance.html

And my problem is how to pass the ssl certificate

I need to enable http mode?

Thanks!

El mar., 30 oct. 2018 a las 7:28, Igor Cicimov (<
Post by Marcos Gonzalez
Post by Marcos Gonzalez
Hi list
I'm using haproxy to redirect traffic directly to backend server. We are
looking how to load balance sql servers directly, and this works, but I
don't know how to add ssl support.
Post by Marcos Gonzalez
I'm using this config setup and works fine
listen mysql-cluster
bind 0.0.0.0:3307 ssl crt /etc/ssl/certs/cert.pem
mode tcp
option mysql-check user admin
server mysql1 192.168.1.110:3307
The only point where is failing is justly ssl support. Can someone help
me with code to see where is the problem?
Post by Marcos Gonzalez
bind 0.0.0.0:3307 # ssl crt /etc/ssl/certs/cert.pem
Haproxy only needs to connects to a beckend server with mysql using port
3307 and our objective is to enable ssl support
Post by Marcos Gonzalez
in global section we have
ssl-default-bind-ciphers
ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
Post by Marcos Gonzalez
ssl-default-bind-options no-sslv3
I can't see where can be the problem, any idea?
Thanks
In tcp mode you will have to enable ssl in the mysql servers as it is
pass-through.
--

Loading...