I need HAProxy to respond with a deny whenever the end user types in the HAProxy VIP into the browser. What is happening instead, is the end user is presented with the first ACL in the list, thus getting a wrong SSL cert, etc. This is very similar to Do not allow visits on haproxy IP address - Server Fault but that solution does not appear to be working for HTTPS.
Here is the config I’m testing:
frontend front_https
bind *:443 ssl crt /etc/haproxy/certs/
option forwardfor except 127.0.0.0/8
# ACLs
use_backend backend_api if { hdr(host) -i api-test.neatodomain.lan }
use_backend backend_anotherapi if { hdr(host) -i anotherapi-test.neatodomain.lan }
# All other map to default
default_backend backend_default
# default backend
backend backend_default
http-request deny deny_status 403
# api-test.neatodomain.lan
backend backend_api
server api-01 api1-test.neatodomain.lan:443 ssl verify none sni str(api-test.neatodomain.lan) check-sni api-test.neatodomain.lan check
server api-02 api2-test.neatodomain.lan:443 ssl verify none sni str(api-test.neatodomain.lan) check-sni api-test.neatodomain.lan check backup
# anotherapi-test.neatodomain.lan
backend backend_anotherapi
server anotherapi-01 anotherapi1-test.neatodomain.lan:443 ssl verify none sni str(anotherapi-test.neatodomain.lan) check-sni anotherapi-test.neatodomain.lan check
server anotherapi-02 anotherapi2-test.neatodomain.lan:443 ssl verify none sni str(anotherapi-test.neatodomain.lan) check-sni anotherapi-test.neatodomain.lan check backup
Normal access to https://api-test.neatodomain.lan and https://anotherapi-test.neatodomain.lan work as expected, and HAProxy presents the proper SSL cert, and Apache displays the proper API page. The issue comes when the user visits https://10.10.10.10 which is the VIP for HAProxy. Instead of getting the deny_status 403, the end user is getting the browser warning for bad SSL domain, and the cert it is presenting is for api-test.neatodomain.lan.
What is the proper config to get the default_backend to respond?