Allow only specific path url with 443/cert

i was search already whole day how to work this but have not found any solution.
have enviroment where haproxy have url that using certificte on ngnix on backend server, so connection is go : internet>haproxyurl:443>ngnix&cert, what i need is to setup with mode tcp as http/80 is redirected to https the suffixes paths allow/deny
so lets say my front looks like that:
frontend tcp-in-443
bind interface eth0
mode tcp
#option tcplog
maxconn 500
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
default_backend no_ssl

    use_backend if { req_ssl_sni -i }

mode tcp
option tcplog
server default check

what i need is that if someone as sending req to open he can he gets 404 or redirection, the ONLY path that can be accessable is* and not or some /blah.
how i can achive that ? in front ACLs + use_backed ? i was trying that but was not working or mby i did wrong config…

edit - also this web should be ALL visible from internal LAN that is going to ngnix direct so the idea is to block it only from internet

You cannot review/reject/redirect anything on port 443, unless you are actually decrypting it (certificate on haproxy), because you the payload is encrypted otherwise.

On port 80, you can do what you want, use ACL rules to redirect as you please.

cant do something like this but with /paths ? so the first request that someone is doing from outside will allow him to get to url, and if he will put haproxy will reject it.

acl is_host_com hdr(Host) -i
tcp-request inspect-delay 30s
tcp-request content accept if is_host_com
tcp-request content reject

so lets say that i can put cert wildcard on haproxy, then its possible to decrypt and allow/reject flow to particular path?

No, because it is encrypted.


something like that ?

bind ssl crt /etc/ssl/certs/wildcard.pem
mode tcp
option tcplog
maxconn 500
tcp-request inspect-delay 5s

mode http
cookie SERVERID insert indirect nocache
option forwardfor
server default check

and with some

acl path_ok path_beg /test
http-request deny unless path_ok

You also need mode http in the frontend and you need to add “ssl verify none” in the backend server, with enables SSL encryption on the backend and disables certificate verification (unsecure, configure it properly with ssl certificate validation in production).

About the only differentiator you have at the SSL layer is the SNI (server name identification) which is an extension where the client sends that in their request. The information about what path they want doesn’t exist until after the SSL handshake takes place. (SSL first then HTTP)

So either the data needs to be decrypted by performing the ssl handshake on the haproxy device or you only act on the server name alone. I’d suggest what lukastribus says and that’s to move your cert and key over to the HAPRoxy device. Let it handle the ssl handshake and then allow or reject as needed from there.

You can even do some interesting mapping of hostnames and such to different backends like one user did over here: How does the SNI Routing works in HAProxy • ME2Digital