Home/ Questions/Q 8658203
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T15:42:25+00:00

I have setup the new version of haproxy but I need to disable TLS

  • 0

I have setup the new version of haproxy but I need to disable TLS and the “notlsv1” keyword doesn’t works.
In my actual configuration, I use stud to manage https sessions with these parameters:

-B 1000 -n 8 -b 127.0.0.1 8080 -f *,443 –ssl -c ALL –write-proxy

And I’m trying to replace him by the new haproxy version.

My configuration file:

global
  log 127.0.0.1   local0 info
  maxconn 32000
  user haproxy
  group haproxy
  daemon
  nbproc 1
  stats socket    /tmp/haproxy.sock

defaults
  timeout connect 10000
  timeout client 30000
  timeout server 30000

listen ha_stats 0.0.0.0:8088
  balance source
  mode http
  timeout client 30000ms
  stats enable
  stats uri /lb?stats

frontend https-requests
   mode http
   bind :80
   bind :443 ssl crt ./haproxy.pem notlsv1
   acl is_front hdr(host) -i front.mydomain.com
   acl is_service hdr(host) -i service.mydomain.com
   use_backend bkfront if is_front
   use_backend bkservice if is_service

   default_backend mydomain.com

backend mydomain.com
    mode http
    server mywebsite www.mydomain.com:80

backend bkfront
    mode http
    balance roundrobin
    option httpchk GET / HTTP/1.1\r\nHost:\ front.mydomain.com

     server web05 192.168.200.5:80 check

    backend bkservice
      mode http
      balance roundrobin
      option httpchk GET / HTTP/1.1\r\nHost:\ service.mydomain.com

      server web01 192.168.200.1:80 check

The http and https sessions work very well with firefox but I have problems with chrome and Internet explorer. To solve them, with Stud I need to add –ssl.

Thanks,

SOLUTION:

Thanks to Willy for his help. Below I give the commands to solve this problem:

wget http://haproxy.1wt.eu/download/1.5/src/devel/haproxy-1.5-dev12.tar.gz
wget http://haproxy.1wt.eu/download/1.5/src/snapshot/haproxy-1.5-dev12-patches-LATEST.tar.gz
tar xvzf haproxy-1.5-dev12.tar.gz
mv haproxy-1.5-dev12-patches-LATEST.tar.gz haproxy-1.5-dev12
cd haproxy-1.5-dev12/
tar xvzf haproxy-1.5-dev12-patches-LATEST.tar.gz
patch -p1 < haproxy-1.5-dev12-patches-20121009/*.diff
make TARGET=linux26 USE_OPENSSL=1
sudo make PREFIX=/opt/haproxy-ssl install

And replace:

bind :443 ssl crt ./haproxy.pem notlsv1

to:

bind :443 ssl crt ./haproxy.pem force-sslv3
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is because in OpenSSL, notlsv1 only disables TLSv1.0, not later versions ! If you need this, you’d better download the latest snapshot from the site and use “force-sslv3” instead of “notlsv1”. It will force use of SSLv3 exclusively and do what you currently have with stud.

    • 0