Choose backend based on hdr_beg(host) in https termination block


#1

I use haproxy(1.8.4) to terminate ssl and then send clients to backend servers based on alpn negotiation. I’ve recently added solr to the mix, and would rather have it sit behind SSL, but pretty sure i can not use hdr_beg in https, b/c i’m effectively in tcp mode. I can easily configure it like lets-encrypt in http mode. Mostly i’m just curious if there is a way to make this work.

Thanks!
relevant portions of the config

 frontend http
   mode http
   bind 0.0.0.0:80
 
   #if this is a LE Request send it to a server on this host for renewals
   acl letsencrypt-request path_beg -i /.well-known/acme-challenge/
   redirect scheme https code 301 unless letsencrypt-request⋅
   use_backend letsencrypt-backend if letsencrypt-request

frontend https
  #mode tcp
  bind 0.0.0.0:443 ssl crt /etc/haproxy/certs alpn h2,http/1.1 ecdhe secp384r1
  timeout http-request 10s
  log-format "%ci:%cp [%t] %ft %b/%s %Tw/%Tc/%Tt %B %ts \ %ac/%fc/%bc/%sc/%rc %sq/%bq SSL_version:%sslv SSL_cypher:%sslc SNI:%[ssl_fc_has_sni]"
  acl solr-request hdr_beg(host) -i solr.
  use_backend solr-backend if solr-request
  #send all HTTP/2 traffic to a specific backend
  use_backend http2-nodes if { ssl_fc_alpn -i h2 } !solr-request
  #send HTTP/1.1 and HTTP/1.0 to default, which don't speak HTTP/2
  default_backend http1-nodes

backend solr-backend
  mode http
  server solr01 10.X.X.16:8983
  acl network_allowed src NN.NN.NN.NN
  
  http-request deny if !network_allowed

Ultimately this always gets sent to the H2 block


#2

I pretty much know this is not possible, but if anyone has any trickery out there to do this in tcp mode…i’ll leave it up for fun. Solr is only available on the LAN, so HTTP is not a big deal. As’d rather not put nginx in front of what is a perfectly good web server for the little you need it for.


#3

I would suggest you match the SNI field instead. This is available from the SSL layer.

acl solr-request ssl_fc_sni -m beg -i solr.

However you have to make sure that the solr. certificates do not overlap with the other (h2) domains, because otherwise the browser will use the same TLS sessions for both solr and non solr and since routing will be based on the SNI from the initial client_hello, routing will be messed up. But if your certificates don’t overlap between h2 and solr backends, then everything should work just fine.


#4

Great thanks Lukas! I can ensure they don’t overlap by giving an FQDN, that works well with http1.1, so the next question (for me) is can i get the embedded jetty to use h2, the version supports it, but since its embedded, i have more research do to.

Thanks for the tip, i didn’t know about that one.