Haproxy tcp acl port 8008 not working


#1

Hello,
i want to forward more domains with the same port to different lxc containers on the port 8008 (tcp).

If I don’t do the acl-check the config is working. But I need to check the url.

Here is my config:

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private

# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
#  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
log global
mode http

mode	tcp
option	tcplog
option tcp-smart-connect
option	dontlognull
option  dontlognull
timeout connect 5000
    timeout client  50000
    timeout server  50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend stratum1_frontend
bind *:8008

acl host_stratum1 hdr_dom(host) -m beg test1.
use_backend stratum1_backend if host_stratum1
#default_backend stratum1_backend

backend stratum1_backend
mode tcp
server stratum1 test1.test.de:8008 check


#2

How does the HTTP request look like, exactly?


#3

I try to connect the server to test1.test.de:8008, the command acl host_stratum1 should check if the url contains test1.
if the url contains test1 haproxy should redirect me to the container test1.test.de:8008
it has to be scalable ex. test2.test.de:8008 test3.test.de:8008

if i do the same story with mode http on port 80 it works without problems. but i need the service running on port 8008 tcp


#4

No, this can’t work in TCP mode. If you want to access HTTP headers, you need HTTP mode.

Why do you need TCP mode for this traffic here anyway? What is it in HTTP mode that doesn’t work for your 8008 http traffic?


#5

the stratum proxy doesn’t accept the connection in http mode…


#6

Isn’t the protocol you are using here HTTP?


#7

no, the protocol i’m using isn’t http… i don’t know what protocol the proxy is using (i think it’s using his own protocol)… that’s why i have to forward the tcp packets…


#8

Well then not only is haproxy unable to do that, it is also technically impossible.

This here:
hdr_dom(host) -m beg test1.

Means: look for the HTTP-Header (in a HTTP Request) named “host” and check if its value begins with test1.

If there is no HTTP protocol, no HTTP request - then you cannot possibly access HTTP headers. And if there is a unknown protocol that is forwarded, not only don’t we know where to look for the header, but more likely there is probably no such header at all. For all intents and purposes there is not even an URL here.

So you’d have to go back to the drawingboard in this case.


#9

ok, thank you. i’ll replan it…