HAProxy return 502 Bad Gateway

Question

I want to forward the traffic vom: https://demo2.company.com:8443 to the internal address 10.11.0.6: https://10.11.0.6:8443

But I get an 502 Bad Gateway error:

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    maxconn 2048
    tune.ssl.default-dh-param   2048
    tune.maxrewrite             4096
    user haproxy
    group haproxy
    # Default SSL material locations
    ca-base /etc/ssl/certs/data.company.com/company.com.crt
    crt-base /etc/ssl/certs/data.company.com/company.com.key
    daemon

defaults
    log                     global
    mode                    http
    option                  forwardfor
    option                  http-server-close
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 2048

frontend cloud.company.com
    bind *:8443 ssl crt /etc/ssl/certs/data.company.com/company.com.pem
    http-request add-header X-forwarded-Proto: https
    http-request add-header X-forwarded-Port: 8443
    http-response add-header Strict-Transport-Security: max-age=15768000

    log-format "%ci:%cp [%[src,map_ip(/etc/haproxy/haproxy_geo_ip.txt)]] [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts %ac/%fc/%bc/%sc/%rc %sq/%bq"

# --- GEO Block
    acl acl_geoloc_block src,map_ip(/etc/haproxy/haproxy_geo_ip.txt) -m reg -i (CH|AT|DE|IT|FR)
    use_backend block_geo if !acl_geoloc_block
# ---
    
    acl is_demo1 ssl_fc -i demo1.company.com   #10.11.0.2
    acl is_demo2 ssl_fc -i demo2.company.com   #10.11.0.6

    use_backend demo1 if is_demo1
    use_backend demo2 if is_demo2

backend block_geo
    timeout tarpit 5s
    errorfile 404 /etc/haproxy/errors/403.http
    http-request tarpit deny_status 404

backend demo1
    mode http
    server demo1 10.11.0.2:8443 check


backend demo2
    redirect scheme https if !{ ssl_fc }
    server demo2 10.11.0.6:8443 check

I guess a problem with the SSL?

I want to use my own SSL at frontend. He don´t should show the SSL from the backend server

I try different SSL commands, but always the same error. I would like to get the http content from the backend server

Answer 1

Two things i notice:

1. acl is_demo1 ssl_fc -i demo1.company.com #10.11.0.2 those ACLs look weird and probably don't match what you think they match. ssl_fc is boolean saying only whether connection was over SSL or not. ssl_fc_sni could work to match SNI against your domains, but haproxy manual recommends to rely on HTTP header host instead, e.g. acl is_demo1 hdr(host) -i demo1.company.com
2. assuming your backends serve content over HTTPS, their server lines lack ssl keyword, e.g. server demo2 10.11.0.6:8443 check ssl verify none or server demo2 10.11.0.6:8443 check ssl verify required ca-file /path/to/ca/file
   some other SSL related options (e.g. sni demo2.company.com) may be required for your backend to work properly