Default backend weirdness?

dsgnr · August 4, 2018, 7:09am

Hey, I’ve been using HAProxy for a while now, moving from Nginx proxies. It’s awesome!

I have been using it as a standard https proxy but I’m now attempting to pass my RDS gateway through it also (as I only have one home WAN IP).

My config is here: https://pastebin.com/AmBBE2CY so at the moment the RDS gateway does work, but when I attempt to add another backend, it is still defaulting to the ssl_sp backend. However, the weird one is that when I remove that default_backend vars on the front-end, nothing works.

So i’m guessing that the req_ssl_sni element isn’t working correctly, although running an openssl checker, as well as the haproxy -f /etc/haproxy/haproxy.cfg -V -d command, i’m not seeing anything come through, except:

00000000:ssl_relay.accept(0007)=000a from [redacted:63249] ALPN=<none>

So for example, I’d like to add this to the frontend:

use_backend ssl_rd if { req_ssl_sni -i zabbix.domain.cloud }

and this to the backend:

backend zabbix
redirect scheme https if !{ ssl_fc }
server zabbix.domain.cloud 10.50.3.11:443 ssl verify none check

I have looked at other topics but I don’t seem to be able to resolve this with my scenario. If anyone can offer any advise that would be great.

lukastribus · August 4, 2018, 10:03am

frontend ssl_relay terminates SSL. Therefor what you are attempting below doesn’t work, you don’t need tcp-request and you need to replace req_ssl_sni with ssl_fc_sni.

Also, whatever you are trying to do with SSL in the backend, like matching the session ID, will not work, because there is no SSL left here. You already stripped and terminated SSL in your frontend.

dsgnr · August 4, 2018, 1:22pm

Hey thanks for your input.

The weird thing is the RDS gateway is working perfectly.

the second backend (zabbix in this case) when curling, will sometimes go to the IIS holding page, for the ssl_sp backend, but othertimes go to the zabbix backend. I can not replicate this in the browser though.

dsgnr · August 4, 2018, 1:40pm

I have actually removed the RDS from the HAProxy backend, and it’s still serving the IIS page.
So i think maybe my issue isn’t necessarily with HAProxy which is REALLY weird!

Topic		Replies	Views
Challenges proxying to RDS gateway Help!	5	3403	September 19, 2023
HTTPS SNI on non-standard port not sending to correct backend Help!	2	2147	March 24, 2017
HTTPS frontend for exchange and other services Help!	3	850	June 5, 2021
Backend using https on different port Help!	5	5652	November 9, 2018
[SOLVED] One IP, fistful of domains, pack of subdomains and HAProxy in front of it Help!	12	2884	November 4, 2018

Default backend weirdness?

Related topics