Https multiple domain routing

jakobgeb · December 2, 2021, 1:33pm

Hello haproxy knowledged people,

I am setting up a gateway that is supposed to route traffic from different domains (2 tld and multiple subs) to different backends. I am using certbot with cloudflare for SSL termination and want to route the domains with ACLs.
What I can’t get working is the routing from the domains. All works fine for the default backend, which is commented in the example config (SSL, status, …) but as soon as I comment the default backend and want to access the same service promox.dev.example.de which would be routed through the ACL, I get secure connection failed.
I tried multiple ACLs matching methods like hdr(host) but I can’t get it working. Would be awesome if someone could shine some light on this. I am stuck :-/

############## Configure public https frontend #############
listen https
                    mode tcp
                    option tcplog

                    # HTTP
                    bind :80
                    # Redirect all HTTP traffic to HTTPS
                    redirect scheme https if !{ ssl_fc }
                    
                    # HTTPS
                    bind :443 ssl crt /etc/haproxy/ssl/
                    tcp-request content accept if { req.ssl_hello_type 1 }
                    
                    acl ACL_promox                  req.ssl_sni -i promox.example.de
                    acl ACL_promox_dev          req.ssl_sni -i promox.dev.example.de
                    acl ACL_promox_dev          req.ssl_sni -i promox.backup.example.de
                    acl ACL_artemis                  req.ssl_sni -i *.apps.artemis.example.de
                    ....

                    use_backend proxmox_production_backend         if ACL_promox
                    use_backend proxmox_development_backend     if ACL_promox_dev
                    use_backend proxmox_backup_backend              if ACL_promox_backup
                    use_backend proxmox_backup_backend              if ACL_artemis
                    ....

                    # default_backend proxmox_development_backend

############## Configure proxmox development backend #############
backend proxmox_production_backend
                    mode tcp
                    option tcplog
                    default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
                    server proxmox-production-0 10.XX.19.XX:8006 ssl check verify none

############## Configure proxmox development backend #############
backend proxmox_development_backend
                    mode tcp
                    option tcplog
                    default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
                    server proxmox-development-0 10.XX.19.XX:8006 ssl check verify none

            ############## Configure proxmox backup backend #############
            backend proxmox_backup_backend
                    mode tcp
                    option tcplog
                    default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
                    server proxmox-backup-0 10.XX.19.XX:8006 ssl check verify none

############## Configure artemis prodution backend for https #############
backend https_artemis_live_backend
                    mode http
                    default-server inter 10s downinter 5s rise 2 fall 2 slowstart 60s maxconn 250 maxqueue 256 weight 100
                    server artemis-zerotier-bridge-0 10.XX.19.XX:443 check
                    server artemis-zerotier-bridge-1 10.XX.19.XX:443 check
                    server artemis-zerotier-bridge-2 10.XX.19.XX:443 check
```

lukastribus · December 2, 2021, 1:56pm

Use mode http with hdr(host)

jakobgeb · December 2, 2021, 7:28pm

@lukastribus thanks was very helpful. Unfortunately, I still get a 503 error. Like i wouldn’t recognize my ACLs.

from the logs: https~ https/<NOSRV> 0/-1/-1/-1/0 503 221 - - SC-- 1/1/0/0/0 0/0 "GET / HTTP/1.1"

When I add the proxmox.dev the default backend it works fine.

from the logs: proxmox_development_backend/proxmox-development-0 2/0/40/45/87 200 1041 - - ---- 1/1/0/0/0 0/0 "GET / HTTP/1.1"

So I have the impression that my ACLs are just not working, but I don’t know why…

lukastribus · December 2, 2021, 7:57pm

You can and should remove tcp-request content. Make sure there is absolutely nothing in the configuration that begins with req.ssl.

Then, run curl -vv https://promox.example.de/ against haproxy and provide the log message again.

backend https_artemis_live_backend has wrong configuration for this: it doesn’t reencrypt traffic but it is pointing to port 443, so you will have to add ssl verify none to it.

jakobgeb · December 3, 2021, 1:39pm

So in the logs I still have this after running the curl command.
[03/Dec/2021:13:36:51.761] https~ https/<NOSRV> 0/-1/-1/-1/0 503 221 - - SC-- 2/1/0/0/0 0/0 "GET / HTTP/1.1"

And the curl command itself returns

*   Trying 130.XX.49.XX:443...
* Connected to proxmox.dev.example.de (130.XX.49.XX) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.dev.example.de
*  start date: Nov 24 18:34:11 2021 GMT
*  expire date: Feb 22 18:34:10 2022 GMT
*  subjectAltName: host "proxmox.dev.example.de" matched cert's "*.dev.example.de"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: proxmox.dev.example.de
> User-Agent: curl/7.77.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 503 Service Unavailable
< cache-control: no-cache
< content-type: text/html
< 
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>

* TLSv1.2 (IN), TLS alert, close notify (256):
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):

lukastribus · December 3, 2021, 2:18pm

You are accessing proxmox.dev.example.de here, but you configured haproxy to look for promox.dev.example.de

proxmox vs promox

jakobgeb · December 3, 2021, 4:06pm

Oh my god, shame on my head to waste an hour of your time for that. Thank you very much for spotting this stupid typo

Topic		Replies	Views
Help me with ACL for TCP Help!	1	328	July 25, 2020
Haproxy redirect multiple webserver Help!	11	3356	May 2, 2019
Simplified ACL for SNI matching Help!	1	403	February 24, 2020
Route https/Traffic based ACL Help!	6	369	January 17, 2023
Http frontend to https Backend on selected paths Help!	9	959	December 10, 2021

Https multiple domain routing

Related Topics