HAProxy community

ACLs not recognizing TCP traffic

Hello, hopefully I am making a simple error, but I cannot get ACLs to work with the Frontend in TCP mode. I receive a 502 error when I add the ACL and no traffic gets redirected to the Backend.

I am working off the documentation here: https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#7.3.5-req.ssl_sni

OS is RedHat Hardened AMI in AWS. The server is behind a public load-balancer. HAProxy version 1.8.15.

I have set the default_backend of the Frontend to several different severs and gotten it to resolve, so I believe my Backend configuration is correct. Here is my config:

global
    log 127.0.0.1 local0
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon
    stats socket /var/lib/haproxy/stats

defaults
    mode                    tcp
    log                     global
    option                  tcplog
    option                  dontlognull
    option http-server-close
    retries                 100
    timeout http-request    30s
    timeout queue           1m
    timeout connect         30s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 1000s
    timeout check           30s

frontend test
    bind *:80
    bind *:443
    mode tcp
    #default_backend test2.domain2
	
    tcp-request inspect-delay 10s
    tcp-request content accept if { req_ssl_hello_type 1 }
    use_backend test1.domain1 if { req.ssl_sni -m end domain1 }

backend test1.domain1
  mode tcp
  option ssl-hello-chk
  server test1.domain1 123.123.123.123:443
  
backend test2.domain2
  mode tcp
  option ssl-hello-chk
  server test2.domain2 hostname.domain.com:443

Log results

Jul  9 17:44:42 localhost haproxy[14846]: 192.168.13.130:32222 [09/Jul/2019:17:44:42.610] test test/<NOSRV> -1/-1/0 0 SC 2/2/0/0/0 0/0
Jul  9 17:44:42 localhost haproxy[14846]: 192.168.13.130:32224 [09/Jul/2019:17:44:42.610] test test/<NOSRV> -1/-1/0 0 SC 1/1/0/0/0 0/0
Jul  9 17:44:48 localhost haproxy[14846]: 192.168.49.111:49208 [09/Jul/2019:17:44:48.618] test test/<NOSRV> -1/-1/0 0 SC 2/2/0/0/0 0/0
Jul  9 17:44:48 localhost haproxy[14846]: 192.168.49.111:49210 [09/Jul/2019:17:44:48.618] test test/<NOSRV> -1/-1/0 0 SC 1/1/0/0/0 0/0
...

Well, the ACL is trying to match SNI, so, your traffic needs to:

  • be SSL traffic (not plaintext, so your port 80 bind statement is certainly useless - it’s also wrong for another reason: you can connect a port 80 frontend to a port 443 backend without intervening on the SSL layer)
  • the client hello needs to have a SNI value present, and that value needs to end with domain1

If all those things are in fact happening, it should work.

Thank you for the response.

I’ve removed the 80 bind statement, it had been using for earlier testing, thanks for pointing that out.
I’ve analyzed the request with Wireshark from the client and I see the client hello has the correct SNI value (Server Name under Server Name Indication extension matches).

Do you know of another way to debug this? When the default is set all traffic routes there fine.

I suggest you:

  • provide the ouput of haproxy -vv
  • provide the output of a curl -vv ... trace showing the error
  • provide the actual configuration
  • provide the actual wireshark trace that shows the SNI value
  • make sure you are capturing the traffic on the haproxy box.
  • confirm that you are really running this configuration - sometimes old haproxy processes keep running in the background, responding to request with old configurations

The example configuration is fine. Likely the actual configuration is not. If you want to keep the data private, send it to my via PM.