HAProxy, single domain name, multiple subdomains with SSL

PunkIsDaFunk · October 20, 2018, 2:55pm

I am trying to setup a farm of servers to serve the same website across all the servers, including the subdomains. I posted my example configuration below.

When tested it seemed to allow for the main website to be loaded, but anytime the subdomains were accessed it would just redirect to the main domain’s content. Is there a way using the configuration I have below, or some other configuration, and I can accomplish the goal of having say 4 servers, all serving the same root domain and subdomains, while still utilizing an SSL certificate for all traffic? Each website also contains a 301 redirect to HTTPS to enforce the use of SSL.

global
        log 127.0.0.1   local0
        log 127.0.0.1   local1 notice
        maxconn 4096
        user haproxy
        group haproxy
        daemon

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        option forwardfor
        option http-server-close
        stats enable
        stats auth admin:Password!
        stats uri /haproxyStats

frontend http-in
        bind *:80

        # Define hosts
        acl host_website_hdr(host) -i domain.com 
        acl host_website_hdr(host) -i c.domain.com
        acl host_website_hdr(host) -i s.domain.com
        acl host_website_hdr(host) -i i.domain.com 
        acl host_website_hdr(host) -i e.domain.com

        ## figure out which one to use
        use_backend website if host_website
        use_backend website if host_website
        use_backend website if host_website
        use_backend website if host_website
        use_backend website if host_website

backend website
        balance leastconn
        option httpclose
        option forwardfor
        cookie JSESSIONID prefix
        server node1 10.5.0.10 cookie A check
        server node2 10.5.0.11 cookie A check
        server node3 10.5.0.12 cookie A check
        server node4 10.5.0.13 cookie A check
        server node5 10.5.0.14 cookie A check

lukastribus · October 22, 2018, 5:36pm

Haproxy does not redirect anything in this configuration. Likely your backend server are redirecting. Why that is, is a question that needs to be looked at from the application perspective. Nothing fancy that haproxy does here.

The configuration you posted doesn’t make a lot of sense though, are you sure that’s what you are really using? You don’t need multiple use_backend that are exactly the same. Once suffices. Also since you don’t have multiple backends, default_backend probably suffices.

All the SSL questions can be answered when you explain how you would like to set that up. Are the backend servers terminating SSL, or haproxy? Where are the certificates installed?

PunkIsDaFunk · October 22, 2018, 10:17pm

I would prefer that SSL be terminated by HAProxy. (For testing I’m using Lets Encrypt)
The configuration I have posted is just an example. It’s not something I’m using in a production (or testing) environment.

Essentially, I have 3 servers configured in a network, each has two interfaces:
server1 10.5.0.10, 10.5.0.11
server2 10.5.0.12, 10.5.0.13
server3 10.5.0.14, 10.5.0.15

All of these servers and HAProxy will only serving domain.com. Subdomains are also housed on the same servers (10.5.0.10 - 15), but with my previous configuration (this is my second attempt) only displayed the main website (domain.com) for every subdomain. For example, images.domain.com is replicated by the servers and should also be handled by HAProxy. But images.domain.com, displayed the document root for domain.com, and not images.domain.com.

I am new to HAProxy, if there is a configuration that would fit what I am trying to accomplish better than what I posted, please let me know. Configuration examples would be a great resource if you have any. If that makes more sense. Which I hope it does.

lukastribus · October 23, 2018, 10:01am

Remove option http-server-close from the defaults and option httpclose from the backend. They just disable keep-alive which makes no sense, unless you had a reason to put them there.

SSL configuration in haproxy is fairly straightforward, checkout examples/ssl.cfg and the Mozilla SSL Configuration Generator for suggestions about how to do it securely.

Just avoid redirecting to SSL from the backend applications (do it in haproxy instead using redirect scheme), otherwise you backend start redirecting to HTTPS endlessly because they don’t know that haproxy actually terminates SSL (you’d have to set a HTTP header like X-Forwarded-Proto on haproxy, and make the application understand it).

If you want cookie persistence (do you?), you need to set each server to a different cookie value, otherwise it makes no sense. In your specific case you could set the same cookie for the other NIC of the same server, that should be fine.

        server server1-nic1 10.5.0.10 cookie A check
        server server1-nic2 10.5.0.11 cookie A check
        server server2-nic1 10.5.0.12 cookie B check
        server server2-nic2 10.5.0.13 cookie B check
        server server3-nic1 10.5.0.14 cookie C check
        server server3-nic2 10.5.0.15 cookie C check

That’s your backend server’s domain, haproxy does not know anything about this. You need to look there for fixes. Also, actually test your backend servers directly.

PunkIsDaFunk · October 23, 2018, 10:43pm

I’m unsure what you mean? There is no way using the domain the browser requests that I can pass the host header of images.domain.com on to the server from HAProxy?

The virtual hosts for each subdomain already exist in apache, and point to the correct document root, and the bind server that handles DNS is pointing to the public IP address of the HAProxy server. So the servers are already setup to serve the pages based on the domain names that are requested. HAProxy is only sending the root domain though (or at least I suspect) which is why it’s only displaying the root website, and not the sub-domains.

Correct me if I’m wrong. Which I may be, since I am new to HAProxy.

lukastribus · October 24, 2018, 9:27am

It’s very simple: your browser sets the Host header to images.domain.com. Haproxy passes the requests as-is to the backend server, which, if configured correctly, based on the Host header which is set to images.domain.com, serves the correct root.

No, haproxy won’t touch the Host header send by the browser. Unless you configure haproxy to overwrite the Host header, but that’s not what you configured.

Again test your backend servers directly, without going through haproxy.

mdsahil · March 20, 2019, 7:06am

In haproxy configuration, acl sub domain is above in main domain. while trying to login the subdomain URL to went to main domain. Please give us solution.
haproxy version: 1.6.14

acl xxx hdr_end(host) -i xxx.domain.in
acl xxxmain hdr_end(host) -i xxxmain.domain.in

use_backend xxxmain if xxxmain
use_backend xxx if xxx

backend xxx
redirect scheme https if !{ ssl_fc }
rspadd X-Frame-Options:\ SAMEORIGIN
option forwardfor
balance roundrobin
cookie SERVERID insert indirect nocache
server xxx 1.1.1.1:xxxx check ssl verify none

backend xxxmain
redirect scheme https if !{ ssl_fc }
rspadd X-Frame-Options:\ SAMEORIGIN
option forwardfor
balance roundrobin
cookie SERVERID insert indirect nocache
server xxxmain 1.1.1.1:xxxx check ssl verify none

lukastribus · March 25, 2019, 10:35am

Please open your own thread and don’t hijack others.

Topic		Replies	Views
Haproxy url rewrite and redirect using ssl Help!	0	2026	February 15, 2018
Haproxy redirections with ssl Help!	1	803	April 26, 2017
Can we set one haproxy to deal with multi domains requests ？ Help!	2	284	June 20, 2023
Domain Proxy : Frontend and backend using different domains Help!	3	820	October 18, 2019
Cannot get "redirect scheme" to work in backend section Help!	7	2224	March 13, 2017

HAProxy, single domain name, multiple subdomains with SSL

Related Topics