Just a question I have been struggling with for a while; how can I get arbitrary TCP protocols (have been testing with SSH) over HAProxy, while also servicing HTTP requests on the same port. I am using the following configuration on a test machine:
frontend one bind :443 #ssl crt cert.pem (the implementation will include SSL wrapping, but removed for debugging this issue) mode tcp option tcplog tcp-request inspect-delay 5s tcp-request content accept #if HTTP use_backend http_backend if HTTP use_backend tcp_backend if !HTTP backend tcp_backend mode tcp server tcp_server localhost:22 #SSH for debugging backend http_backend mode http server http_server localhost:8080
If I run with the above configuration, then all traffic is diverted to tcp_backend (rather than just non-HTTP), and if I add the ‘if HTTP’ (commented out currently), then HTTP works okay, but any SSH connections are returned a 400 error code (Bad Request) from HAProxy because it is presumably expecting HTTP.
I can get this set up to work (with SSH) if I include an ACL looking for the magic bytes at the beginning of the request (as described in http://blog.chmd.fr/ssh-over-ssl-episode-4-a-haproxy-based-configuration.html), however this requires me to change the config every time I want to change what is proxying through tcp_backend, and seems impossible for instances where the protocol will not have a magic string.
I have tried a whole bunch of combinations for the config file, but none have worked as I would like.
Any advice on if the requirement is possible would be appreciated, or suggestions on how it might be implemented.
Edit: Tested on HAProxy 1.6.3.