HAProxy as TCP load balancer (SSL passthrough) not working?

Question

i am having some trouble setting up HAProxy as a TCP load balancer (layer 4) and i would like to have your advice about it.

i've been following many guides on the web and i came up with this configuration (not showing any errors in the logs, it starts well) :

note : real domain names are masked

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
 daemon
 user                haproxy
 group               haproxy
 log                 /dev/log local6 debug
 maxconn             50000
 chroot              /var/lib/haproxy
 pidfile             /var/run/haproxy.pid

#---------------------------------------------------------------------
# common defaults 
#---------------------------------------------------------------------
defaults
 mode                 tcp
 log                  global
 option               dontlognull
 timeout connect      5000
 timeout client       50000
 timeout server       50000

#---------------------------------------------------------------------
# dedicated stats page
#---------------------------------------------------------------------
listen stats
 mode http
 bind :22222
 stats enable
 stats uri            /haproxy?stats
 stats realm          Haproxy\ Statistics
 stats auth           xxxxxx:xxxxxxxx
 stats refresh        30s

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main_https_listen
 bind *:443
 mode                tcp
 option              tcplog

# -------------------------------
# ACLs - SIT
# -------------------------------

acl acl_SIT_CI5      req.ssl_sni -i url1.domain.net
acl acl_SIT_HR8      req.ssl_sni -i url2.domain.net

# -------------------------------
# Conditions - SIT
# -------------------------------

use_backend backend_SIT_CI5 if acl_SIT_CI5
use_backend backend_SIT_HR8 if acl_SIT_HR8

#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------

backend backend_SIT_CI5
 mode tcp
 balance source
 option ssl-hello-chk
 server server_SIT_CI5_1 host1.domain.net:443 check
 server server_SIT_CI5_2 host2.domain.net:443 check

backend backend_SIT_HR8
 mode tcp
 balance source
 option ssl-hello-chk
 server server_SIT_HR8_1 host1.domain.net:443 check
 server server_SIT_HR8_2 host2.domain.net:443 check

i've pointed host1.domain.net to my haproxy vIP (it has a keepalived configuration behind with a Virtual IP).

now when accessing https://url1.domain.net (or even https://loadbalancerURL but i assume this is normal on that one) i have an error This page can't be displayed. Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://host1.domain.net again.

a single openssl s_client gives a ssl handshake failure (no certificates blabla).

do you have any idea of what i did wrong ? also, do i need to setup some certificates as i'm listening on 443 ? (even if i don't want these certs to be decrypted or whatever as i only want my HAProxy to act as a proxy).

i also tried to activate debug mode for logging but it didnt show any errors (nor new logs)

note : the backends are located behind firewalls, the communication between backends to HAProxy is not opened on 443 (only FROM Haproxy to the backends), does it need to be directional ? and why ?

note2: in haproxy stats, i can see all backends UP

also, is there a way to know/check if a redirection based on hostname (SNI) is working fine or not ? (i have the impression that the connection stays at the load balancer and is not redirected to the backend, and this is why i have an error)

a haproxy -vv gives :

HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau <willy@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
  OPTIONS = USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1     USE_OPENSSL=1 USE_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips  26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT     IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Answer 1

The two lines that you have addded ensure that HAProxy has enough time to read the SNI header before chooisng a backend, and also checking it is actually SSL traffic (else rejecting it).

You probably also want to select a default backend:

default_backend backend_SIT_CI5

for an SNI that doesn't match.

Answer 2

ew, i made it working by adding this in the frontend (after looking at this post:)

tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }

the thing is, i don't know what these options are doing.. or why i need to specify them. does it mean that the HAProxy default behavior is to reject anything ?