How to redirect traffic on port 8443


#1

Hi,
I have a config section like below. It works fine for a single backend using port 8443.

I now need to have multiple backends behind this one frontend - can someone help me out? I tried the ‘use_backend’ line to have multiple backends - see below - but it didn’t work.

Also, how would I implement SSL on these backends?

Thanks.

frontend ft_myservice
bind 10.x.xx.xx:8443 name HTTPS
mode tcp
log global
capture request header host len 64
capture request header user-agent len 64
capture response header location len 64
maxconn 1000
#use_backend bk_%[req.hdr(host),lower]
default_backend bk_myservice.mydomain.ie

backend bk_myservice.mydomain.ie
balance roundrobin
mode tcp
log global
fullconn 1000 # dynamic limiting below
option httpchk GET /myservice HTTP/1.0\r\nHost:\ myservice.mydomain.ie
http-check expect string diveport
default-server slowstart 0 inter 10s rise 2 fall 3 # servers default parameters
server MyBigServer 10.x.xx.xx:8443 weight 10 maxconn 1000 check check-ssl


#2

Can anyone help on this please?


#3

You will have to ask yourself first how haproxy is supposed to pick on backend over the other. Based on a header, maybe SNI or Host? What is it that you want to achieve exactly?

You probably have to switch to http mode. If you really need ssl on the backend side (you do seem to be on a LAN, so I’m not sure if that makes sense), specify the ssl keyword on the server line.


#4

Frank,
From my understanding, you try to match HTTP content on a connection where traffic is ciphered… So it obviously can’t work.
Lukas has provided useful pointers to you.


#5

Hi Lukas -

I tried to use this syntax to pick the backend but it didn’t work.

use_backend bk_%[req.hdr(host),lower]

I commented out in the example to show what currently is in place.

Can you provide an example of how you might implement this?


#6

You cannot match a HTTP header, when the traffic passing through is encrypted (HTTPS), and you are not terminating SSL here.

Terminate SSL or content switch based on SNI.