Haproxy module does not honour ssl.verification_mode: 'none'

Our hosting provider runs haproxy for us and we have access to the stats interface. We have been using a custom script to extract stats, but since metricbeat has a haproxy module, it would be nice to use that instead.

The stats backend is available over HTTPS with authentication and a self-signed certificate. I have no control over that. I found the various options I should use to configure that, and even appended the trailing slash on the URL so that the port number does not get ";csv" appended, but I cannot get it to work.

It looks as if the ssl.verification_mode: none is ignored, as the error I get when testing the config is: x509: cannot validate certificate for 10.5.101.1 because it doesn't contain any IP SANs

Config:

- module: haproxy
  metricsets: ["stat"]
  hosts: ["https://10.5.101.1:7500/"]
  ssl.verification_mode: 'none'
  username: 'user'
  password: 'pass'
  period: 10s
  enabled: true

Output:

haproxy...
  stat...
    error... ERROR failed fetching haproxy stat: couldn't connect: Get https://user:pass@10.5.101.1:7500/;csv: x509: cannot validate certificate for 10.5.101.1 because it doesn't contain any IP SANs

To the best of my understanding, it should not be trying to validate the cert at all! This is metricbeat 6.8.4 running in a docker container. The other modules I have enabled work fine (but don't get their data off a HTTPS url)

Update: using docker ip/hostname mapping to assign short (and then full) hostnames to check produces different errors, eventually culminating in "x509: certificate signed by unknown authority" so most definitely the module tries to verify the cert, despite being told not to.

Hi @cafuego,

I think you are right, haproxy doesn't allow for SSL settings. Could you please open a new issue to request this in our repo? https://github.com/elastic/beats/issues/new?template=feature-request.md

As a workaround, have you considered using unix sockets for this?

Best regards

Hi @exekias,

I have no access (except via https) to the haproxy instances, so I can't access the socket file on the haproxy hosts.

Issue is https://github.com/elastic/beats/issues/14579

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.