Acl path_beg does'nt work with my sni

RobinH · October 5, 2023, 4:50pm

Hi!

I’m very new to Haproxy and how to set up different rules in my frontend.
My problem right now is how i make my sni work with the path-acl, everything works fine without it but when I try to use my path_beg it does’nt work. Is there something obvious that I did wrong in my configuration or maybe I need to do it in a different way?

I have made different test and even tried with using another port URL:port and everything works, its only the path that is the problem.

frontend test
    bind *:443 ssl crt /etc/haproxy/certs/ strict-sni
    mode http
    option httplog
    maxconn 2000
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    acl camera1 path_beg camera1
    acl test-site1 ssl_fc_sni -i test-site1.example.com
    acl monitor ssl_fc_sni -i monitor.example.com
  acl test-site2 ssl_fc_sni -i test-site2.example.com

    use_backend camera-test-1 if test-site1 camera1
    use_backend monitor-test if monitor
    use_backend default-test-1 if test-site1
  use_backend default-test-2 if test-site2

lukastribus · October 5, 2023, 4:57pm

First of all, you must not use ssl_fc_sni. Replace it all with hdr(host):

http://docs.haproxy.org/2.6/configuration.html#7.3.4-ssl_fc_sni

CAUTION! Except under very specific conditions, it is normally not correct to
use this field as a substitute for the HTTP “Host” header field.

You should also remove the tcp-request rules, they are only needed for SNI matching with req.ssl_sni (SSL passthrough, not SSL termination).

Regarding path:

A path always begins with a /, so your path_beg rule should probably be:

acl camera1 path_beg /camera1

RobinH · October 5, 2023, 5:26pm

RobinH:

frontend test
    bind *:443 ssl crt /etc/haproxy/certs/ strict-sni
    mode http
    option httplog
    maxconn 2000
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    acl camera1 path_beg camera1
    acl test-site1 ssl_fc_sni -i test-site1.example.com
    acl monitor ssl_fc_sni -i monitor.example.com
  acl test-site2 ssl_fc_sni -i test-site2.example.com

    use_backend camera-test-1 if test-site1 camera1
    use_backend monitor-test if monitor
    use_backend default-test-1 if test-site1
  use_backend default-test-2 if test-site2

Hi!

Ah, shoot… the / was a copy/paste mistaje by me…

But this is more correct?

frontend test
bind *:443 ssl crt /etc/haproxy/certs/ strict-sni
mode http
option httplog
maxconn 2000

acl camera1 path_beg camera1
acl test-site1 hdr(host) -i test site1.example.com
acl monitor hdr(host) -i monitor.example.com

acl test-site2 hdr(host) -i test-site2.example.com

use_backend camera-test-1 if test-site1 camera1
use_backend monitor-test if monitor
use_backend default-test-1 if test-site1

use_backend default-test-2 if test-site2

lukastribus · October 5, 2023, 7:13pm

Like I said it needs to be acl camera1 path_beg /camera1

RobinH · October 6, 2023, 6:16am

Hi again,

I have tried it this morning, but still get the same problem.

frontend view-test
bind *:443 ssl crt /etc/haproxy/certs/ strict-sni
mode http
option httplog
maxconn 2000
acl camera1 path_beg /camera1
acl test-site1 hdr(host) -i test-site1.example.com
acl monitor hdr(host) -i monitor.example.com
acl test-site2 hdr(host) -i test-site2.example.com

use_backend camera-test-1 if test-site1 camera1
use_backend monitor-test if monitor
use_backend default-test-1 if test-site1
use_backend default-test-2 if test-site2

lukastribus · October 6, 2023, 7:08am

Ok, then provide the full, actual configuration and the haproxy httplog entry showing the request that does not work as expected.

RobinH · October 6, 2023, 10:58am

Here is the full configuration:

global
log 127.0.0.2 local0
log 127.0.0.1 local1 notice
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
stats socket *:1999 level admin
stats socket /var/run/haproxy.sock mode 600 level admin
server-state-file /etc/haproxy/haproxy.state

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

listen stats
bind *:8085
http-request use-service prometheus-exporter if { path /metrics }
stats enable
stats uri /stats
stats realm HAProxy-04\ Statistics
stats auth admin:password
stats admin if TRUE

backend per_ip_and_url_rates
stick-table type binary len 8 size 1m expire 24h store http_req_rate(24h)

backend per_ip_rates
stick-table type ip size 1m expire 24h store gpc0,gpc0_rate(30s)

backend camera-test-site
mode http
balance roundrobin
option tcp-check
option forwardfor if-none

server 192.168.4.11 192.168.4.11:50085 maxconn 200

backend admin-test-site
mode http
balance roundrobin
option tcp-check
option forwardfor if-none

server 192.168.4.11 192.168.4.11:1024 maxconn 200

backend statusmonitor
mode http
balance roundrobin
option forwardfor if-none

server 192.168.4.90 192.168.4.90:80 check port 80 maxconn 200

backend nattuggla-test-site
mode http
balance roundrobin

server 192.168.4.12 192.168.4.12:8080 check port 8080 maxconn 200

frontend port443-admin-camera-nattuggla
bind *:443 ssl crt /etc/haproxy/certs/ strict-sni
mode http
maxconn 2000

acl test-site path_beg /test-site
acl admin hdr(host) -i admin.zafe.se
acl ipcamera hdr(host) -i ipcamera.zafe.se
acl nattuggla hdr(host) -i nattuggla.zafe.se
acl statusmonitor hdr(host) -i statusmonitor.zafe.se

use_backend admin-test-site if admin test-site
use_backend camera-test-site if ipcamera test-site
use_backend nattuggla-test-site if nattuggla test-site
use_backend statusmonitor if statusmonitor

Im not sure what log it is, is it the access.log, status or error?

lukastribus · October 6, 2023, 11:49am

The log that goes to your syslog and shows the request along with the routing information.

RobinH · October 6, 2023, 4:26pm

Hmm okey, dpnt know if I have that enabled, can just find access, status and error log.

But one problem seems to be that when I try the admin.zafe se/test-site the webpage does’nt load the stylesheet/css. Page is just white.

lukastribus · October 6, 2023, 5:00pm

So it does actually route you to the correct backend server, but you see a white page?

Is that what you mean when you are saying it doesn’t work?

In this case, likely your backend application doesn’t know that it actually has a /test-site/ prefix, and therefor points to wrong absolute URLs.

RobinH · October 6, 2023, 5:15pm

Its been the problems since you helped me with the hdr(host) part. Before it did’nt route at all.

But I will look into the webapplication, because it work fine when I change and use the URL without /test-site/

Thank you for the help!

RobinH · October 6, 2023, 5:44pm

Hmm the application cant understand prefix so the one i talked to asked about rewriting the urls in haproxy?

lukastribus · October 6, 2023, 5:52pm

That is not possibly because it would require rewriting the links in the HTTP body which haproxy cannot do. Haproxy can rewrite the URL but that is not enough here.

If the application can’t do anything about different paths than you need to drop the idea of using a different path, and use a dedicated hostname instead.

Topic		Replies	Views
ACL doesn't work with multiple condition (beg_path AND Help!	6	10000	November 13, 2022
Simplified ACL for SNI matching Help!	1	410	February 24, 2020
Combination of path_beg and hdr not working Help!	2	2627	February 3, 2019
My SNI routing does not seem to work - is there some option to debug ACL rule? Help!	6	377	January 19, 2024
Use mapping for req.ssl_sni instead of req.hdr(host)? Help!	3	7202	December 21, 2023

Acl path_beg does'nt work with my sni

Related Topics