I need help
I am using the following configuration to route traffic to different backends; however, the backend host is the same host for both applications. Everything works fine as long as a user does not try to log into both applications in the same browser. it is almost as if the browser confuses where the response is coming from or makes a request using cookies from the wrong site.
global
log /dev/log local0
# log /dev/log local1 info
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets
# SSL Tunabel
tune.ssl.default-dh-param 4096
# Match ingress-nginx large-client-header-buffers 4 32k
tune.bufsize 32768
defaults
log global
mode http
option forwardfor
option httplog
option dontlognull
timeout connect 600s
timeout client 600s
timeout server 600s
timeout tunnel 43200s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# frontend prometheus
# bind *:8405
# http-request use-service prometheus-exporter if { path /metrics }
# no log
frontend app-fe
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/
mode http
http-request redirect scheme https unless { ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Proto http unless { ssl_fc }
# DEV ACL
acl dev_url req.hdr(host) -i -m beg dev.
http-request set-header X-Forwarded-Port %[dst_port] if dev_url
# QA ACL
acl qa_url req.hdr(Host) -i -m beg qa.
http-request set-header X-Forwarded-Port %[dst_port] if qa_url
# Route traffic to DEV
use_backend dev-be if dev_url
# Route traffic to QA
use_backend qa-be if qa_url
# default_backend dev-be
backend dev-be
option forwardfor if-none
mode http
balance roundrobin
cookie LB1SESSIONID insert indirect nocache
## The rule below ensures that the Location header is https if for some reason it changes to http. Ignores relative path Locations.
http-response replace-header Location ^http://(.*)$ https://\1
## The server directive is configured to trust the certificate regardless of its type or expiration date
server dev-ingress A.elb.us-east-1.amazonaws.com:443 cookie dev-be check ssl verify none
backend qa-be
# option forwardfor
mode http
balance roundrobin
cookie LB2SESSIONID insert indirect nocache
## The rule below ensures that the Location header is https if for some reason it changes to http. Ignores relative path Locations.
http-response replace-header Location ^http://(.*)$ https://\1
## The server directive is configured to trust the certificate regardless of its type or expiration date
server qa-ingress A.elb.us-east-1.amazonaws.com:443 cookie qa-be check ssl verify none
haproxy version: HAProxy version 2.4.24-0ubuntu0.22.04.1 2023/10/31
Thanks.