Default server/backend for requests do not match ACLs


#1

Hi

I’m hosting different web-based services on the same machine and
using haproxy as a reverse proxy, so based on the request hostname I
forward the request into different services on different ports.
bck01.myhost.local -> myhost.local:8081
bck02.myhost.local -> myhost.local:8082
etc

Which woks correclty but the ‘myhost.local:8081’ url is not available from the outside world.
Only the urls that match the current ACL rules

How could I make those available?

current configuration:

frontend http-in
bind *:80
acl is_bck01 hdr_end(host) -i bck01.myhost.local
use_backend bck01 if is_bck01

backend bck01
balance roundrobin
option httpclose
option forwardfor
server s2 127.0.0.1:8081 maxconn 32 check

Regards:
Bence


#2

Use the default_backend keyword.


#3

You mean using that in ‘frontend http-in’ section or ‘defaults’ section?
The frontend is bound to the 80 port so what will happen with 80xx ports?

What about the ‘default_server’ keyword?


#4

Ok, I checked what you suggested but do not work.
For requests like ‘myhost.local:8081’ only timeout occurs.

Actual code:

frontend http-in
    bind *:80
    acl is_bck01 hdr_end(host) -i bck01.myhost.local
    use_backend bck01 if is_bck01
    ...
    default_backend other
backend bck01
    balance roundrobin
    option httpclose
    option forwardfor
    server s2 127.0.0.1:8081 maxconn 32 check
    ...
backend other
    server local 127.0.0.1

So what’s wrong?


#5

You missed the port, it should be 8081 right? So:

backend other
    server local 127.0.0.1:8081

#6

:slight_smile:

There is a slight misunderstanding: I would like to access all the backends on both kinds of urls: bck01.myhost.local and myhost.local:8081

In other words: why the original ports (8081-8xxx) are not accessible from the outside world and how can I make them accessible?
I would need a solution for every port or at least a port range (e.g. from 8081 to 8200).


#7

Haproxy is doing exactly what you configured it to do.

I cannot possibly tell you why your “original” backends ports don’t respond “from the outside world”, it has nothing to do with haproxy.


#8

I see, then it’s not a haproxy issue.

So haproxy will only listen to

frontend http-in
bind *:80

and

listen stats *:9000

and does not affect other ports.

Thanks. Then I will check then what else is behind this issue…


#9

Right you are :slight_smile:

ACCEPT tcp – anywhere anywhere tcp dpt:http
ACCEPT tcp – anywhere anywhere tcp dpt:websm

REJECT all – anywhere anywhere reject-with icmp-host-prohibited

It was my fault… 80 and 9090 was enabled explicitly but everything else was rejected.