Hi, I have a weird problem with my Haproxy setup.
I have several haproxies on top on each other (to manage routing through subdomain yyy.mydomain.com, and then sub-subdomain xxx.yyy.mydomain.com), and I have the following problem (only in tcp mode) :
When I open one site (subdomain) in my browser (let’s say https://backoffice.mydomain.com), when I go to another site (another subdomain, for example: https://chat.mydomain.com), it will still go to the first site (so backoffice in my example), it is not a redirection, the url is the correct one, but the backend is the wrong one.
What’s weird is that every try to get to one subdomain will now get me to backoffice. If I try some time later, I can finally get to the correct backend (so if I go to https://chat.mydomain.com, I will correctly go to it this time). But then, every other subdomain can only get me to chat, and so on…
Another thing is that the problem does NOT happen when using sub-subdomain (for example: service1.backoffice.mydomain.com will correctly get me to the correct service everytime, even when all the subdomains are “stuck” to only one backend).
I don’t know if I’m clear, I can try to rewrite the description if need be (I have a hard time describing it simply).
Here is some of my conf:
The global and defaults are the same on every haproxy:
global
log stdout format raw local0 notice
maxconn 32000
ulimit-n 65536
pidfile /var/run/haproxy.pid
uid 33
gid 33
daemon
quiet
nbproc 1
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
retries 3
option redispatch
maxconn 20000
timeout connect 10s
timeout client 50s
timeout server 60m
timeout tunnel 60m
option http-server-close
balance roundrobin
Here is the conf in the “top” haproxy (routing by subdomains):
frontend tcp
bind *:446
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
# routing to other haproxies via req_ssl_sni...
acl mysubdomain req_ssl_sni -m sub .mysubdomain.
use_backend mysubdomain if mysubdomain
# etc
Here is the conf for the subdomain haproxies (running in swarm stacks):
resolvers docker
nameserver dns 127.0.0.11:53
frontend https
bind *:443 ssl crt /usr/local/etc/haproxy/certs alpn h2,http/1.1
# routing to services
acl myservice hdr_beg(host) myservice.
use_backend myservice if myservice
# etc
# Defaulting on the "most important" service
default_backend mydefaultbackend