404 not found requested route does not or 502 bad gateway

Trying to use haproxy to balance requests to a few urls in aws cloud from inside our business network. I keep getting 404 not found for the host IP where haproxy is running if i remove the acl’s, if leave the acl’s i get 502 bad gateway

here is the config.

log local2
maxconn 500
#ssl-server-verify none

log global
option dontlognull
option redispatch
timeout connect 30000
timeout client 60000
timeout server 60000
default-server init-addr none
retries 999

resolvers dnsserver
nameserver public-0
hold valid 100ms
resolve_retries 3

frontend https
bind *:443 npn spdy/2 alpn h2,http/1.1
option tcplog
mode tcp
acl oauth path_end -i /oauth
acl devices path_end -i /devices

use_backend back_oauth if oauth
use_backend back_devices if devices

backend back_oauth
mode tcp
#option ssl-hello-chk
server host1 https://test.io:443/oauth/token?grant_type=client_credentials resolvers dnsserver check ssl

backend back_devices
mode http
#option ssl-hello-chk
server host1 https://test.io:443/devices resolvers dnsserver check

listen stats
bind *:8080
mode http
stats enable

just to verify a few things
im using haproxy 1.7

DNS seems to be working fine.
I can use ACL’s with tcp mode right ?
does everything look ok above ?
Eventually I have to use a certificate but for now im just trying to hit with postman and ignore cert.

thanks for any help

No, you cannot use ACL in TCP mode. You also cannot announce spdy or H2 support, if neither haproxy or your backend supports it. You also need to decide whether you want to decrypt SSL at haproxy or not.

Invalid, you need to specify IP:port or hostname:port, not an URI.

same here.

If you can explain what you are trying to do, I can help. But the configuration is completely wrong on a number of levels, so I’m unable to guess what you are trying to achieve exactly.


I have to use URLs i dont have IP’s the redirection is to cloud where there is no IP only url.

Here is what i am trying to do.

i have a dozen or so requests that have to come from 1 server at a site…to cloud. This host where haproxy is running is in the middle.
So a request will come in, hit this haproxy on port 443 and based on which url it is…

ie /oauth
or /devices
or i have a bunch of other ones.

It should transparently move that request to the url in cloud.
It must be on port 443

as for the cert - there needs to be a cert handshake so haproxy should not terminate the cert, it should just pass the request through transparently. So the cloud app will look at cert and it should accept it from the requesting server, not from haproxy. hopefully i explained this so its understandable.

fyi - i checked the stat page and it looks as if dns resolution is happening ok as It shown UP for the backend

What you are trying to do is technically impossible.

HTTPS means it’s encrypted with TLS. You cannot read the URI from those requests, unless you decrypt it first.

im trying to do a ssl passthrough, so it just passes the cert along with out terminating it, so far i got it passing the request through but the issue now is that the server with the cert is seeing the host as different so in the haproxy logs im seeing this

localhost haproxy[20410]: [05/Jun/2019:14:56:02.681] https https/ -1/-1/0 0 SC 0/0/0/0/0 0/0

and in postman i get back a 404 with an error from the server (not haproxy server)
404 Not Found: Requested route (‘IP of haproxy here:443’) does not exist.

frontend https
bind *:443
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
option tcplog
mode tcp

#use_backend back_oauth if { req_ssl_sni -i test.io }
default_backend back_oauth

backend back_oauth
mode tcp
option ssl-hello-chk
server host1 https:/test.io:443/oauth/token?grant_type=client_credentials resolvers dnsserver check

so its sending the request to the server which is good, but the server is seeing the request header as the IP of the server with haproxy on it.
any idea what im doing wrong ?

First of all you need to fix that server statement. I already told you you cannot specify a URL there.

You probably want:

server host1 test.io:443 resolvers dnsserver check

Your browser does not send the Host header your backend expects (and the neither is the SNI value correct at this point). You need to point the DNS records to your haproxy box and use the correct hostname in the browser, than your backend will find it.