Haproxy passthrough to nginx

Help!
1

Hi all,

I have haproxy 2.0 running on an OpenWRT router (192.168.1.1) with several dockerized servers being served by different domains via a dockerized NGINX available at 192.168.1.106:9443

The servers are available at:

cucumber.mydomain.com > 192.168.1.106:1001
carrot.mydomain.com > 192.168.1.106:1002
apple.mydomain.com > 192.168.1.106:1003

The certificates are served by the NGINX and would like to keep it like that, with haproxy used in passthrough mode for “split dns” functionality.
I have port forwarding on OpenWRT external :443 to internal :9443 to the NGINX.
I can perfectly reach all my servers from outside and also from inside, but the moment I cut the internet, I cannot reach them anymore from inside.
My goal is to be able to reach the servers by the domain even when there is no internet, but I cannot make it work. I have enabled tcp mode for passthrough as per the below config, but no joy. Stats show no matches to backend just the front-end:

Global parameters

global
log stdout local0 debug
maxconn 5000
ulimit-n 65535
uid 0
gid 0
daemon
nosplice
debug

defaults
timeout connect 5000
mode tcp
option tcplog
log global
timeout client 2000000
timeout server 2000000

frontend stat_page
bind *:8444 ssl crt /etc/ssl/private/haproxy/haproxy.pem
mode http
option tcplog
stats enable
stats uri /stats
stats realm HA_Stats
stats auth admin:admin

frontend main_https_listen
bind 192.168.1.1:443
mode tcp
acl cucumber hdr(host) -i cucumber.mydomain.com
tcp-request inspect-delay 5s
use_backend bk_cucumber if cucumber

backend bk_cucumber
mode tcp
timeout connect 5000
timeout server 30000
server server1 192.168.1.106:9443 check

listen local_health_check
bind :60000
mode health

Screenshot 2021-02-14 at 18.09.27
Screenshot 2021-02-14 at 18.09.271035×258 32.7 KB

Thanks for your input!

2

Hi,

You cant read a host header in TCP mode and you can’t be in HTTP mode unless you decrypt the traffic…

Luckily, thanks to SNI you should be able to still achieve what you want with a config like this:

frontend main_https_listen
bind 192.168.1.1:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend bk_cucumber if { req_ssl_sni -i cucumber.mydomain.com }
3

Hi,

Thanks for the feedback. I changed the config as suggested, but it still does not work and backend counters stay 0. I think I might be missing something very obvious as the haproxy config that I have seems to be standard as per the documentation. The debugs show the following messages:

main_https_listen main_https_listen/ -1/-1/49 0 SC 2/1/0/0/0 0/0

I did some research and SC means that the connection is refused between haproxy and backend NGINX. Any clue where I should look next?

Thank you