Default backend weirdness?


#1

Hey, I’ve been using HAProxy for a while now, moving from Nginx proxies. It’s awesome!

I have been using it as a standard https proxy but I’m now attempting to pass my RDS gateway through it also (as I only have one home WAN IP).

My config is here: https://pastebin.com/AmBBE2CY so at the moment the RDS gateway does work, but when I attempt to add another backend, it is still defaulting to the ssl_sp backend. However, the weird one is that when I remove that default_backend vars on the front-end, nothing works.

So i’m guessing that the req_ssl_sni element isn’t working correctly, although running an openssl checker, as well as the haproxy -f /etc/haproxy/haproxy.cfg -V -d command, i’m not seeing anything come through, except:

00000000:ssl_relay.accept(0007)=000a from [redacted:63249] ALPN=<none>

So for example, I’d like to add this to the frontend:

use_backend ssl_rd if { req_ssl_sni -i zabbix.domain.cloud }

and this to the backend:

backend zabbix
redirect scheme https if !{ ssl_fc }
server zabbix.domain.cloud 10.50.3.11:443 ssl verify none check

I have looked at other topics but I don’t seem to be able to resolve this with my scenario. If anyone can offer any advise that would be great.


#2

frontend ssl_relay terminates SSL. Therefor what you are attempting below doesn’t work, you don’t need tcp-request and you need to replace req_ssl_sni with ssl_fc_sni.

Also, whatever you are trying to do with SSL in the backend, like matching the session ID, will not work, because there is no SSL left here. You already stripped and terminated SSL in your frontend.


#3

Hey thanks for your input.

The weird thing is the RDS gateway is working perfectly.

the second backend (zabbix in this case) when curling, will sometimes go to the IIS holding page, for the ssl_sp backend, but othertimes go to the zabbix backend. I can not replicate this in the browser though.


#4

I have actually removed the RDS from the HAProxy backend, and it’s still serving the IIS page.
So i think maybe my issue isn’t necessarily with HAProxy which is REALLY weird!