HAProxy with TCP mode and multiple subdomains

Hi Team, I have the below configuration and getting SSL error in my python code.

frontend http-in
bind *:443
mode tcp
option tcplog
timeout connect 10s
timeout client 20m
timeout server 20m
maxconn 10000
acl sub_qaws hdr(host) -i qaws.domain.com
acl sub_pdws hdr(host) -i pdws.domain.com
use_backend be_d1 if sub_qaws
use_backend be_d2 if sub_pdws
backend be_d1
server D1M1 qaws.domain.com:443
backend be_d2
server D2M1 pdws.domain.com:443

Error Message:
Caused by SSLError(SSLEOFError(8, ‘EOF occurred in violation of protocol (_ssl.c:1131)’))

But if I removed ACL entry and just keep a single backend server then it worked perfectly fine.

Can someone please help here and let me know the exact root cause of this issue.

you can’t use hdr(host) based ACLs here as haproxy does not see the HTTP requests/responses because it does not terminate TLS.

Either you terminate TLS, or you use the SNI for your use_backend rules, with req.ssl_sni

use_backend be_d1 if { req.ssl_sni qaws.domain.com }

1 Like

Hi Jerome,

Thanks for your input. I tried the below configuration and it’s working in round-robin fashion instead of going with the exact match.

listen abc
bind *:443
mode tcp
option tcplog
timeout connect 10s
timeout client 20m
timeout server 20m
maxconn 10000
use-server abc1 if { req.ssl_sni -i qaws.domain.com }
server abc1 qaws.domain.com:443
use-server abc2 if { req.ssl_sni -i pdws.domain.com }
server abc2 pdws.domain.com:443