Is there a way to achieve this ? I’m ok to try with different protocol modes as well. Just need some guidance to route to a https URL in backend . ( I don’t have a static ip for backend and cannot use ip)
does it suffice to just forward the TCP payload from port 8900 of the LB IP to your destination servers port (6700) - this means the client will see the certificate of your backend server and haproxy itself does not terminate SSL (and therefor does not need a certificate).
Or do you need to rewrite HTTP Host headers, SSL SNI, or use a certificate on haproxy - therefor terminating SSL and reencrypting the traffic towards the backend server.
Forwarding tcp payload from port 8900 to destination url is what I need … destination service is hosted on cloud platform and doesn’t have a stable ip. So I wanted to forward the payload to a URL instead if ip and port .
This is my config , im using haproxy version 1.5.18
Problem that i have is - route to backend qa2 is working fine as it is static server and have a static ip.
route to qa21 is not working. 7843-qa.apps.c1-testqa.tesdomain.org.com is getting translated to an IP, however i dont want that to happen and backend expects to send/forward the request to hostname 7843-qa.apps.c1-testqa.tesdomain.org.com
Is there a way to forward the requests to URL with host name ?hostname is open shift hostname and If the host name resolves to an ip, it is causing a 503 error.
Openshift team says I need to forward the requests to hostname instead of ip.
The hostname is resolved to an IP addresses because that is how the sockets connect to each other, from one IP address to another.
Your backend probably requires haproxy to rewrite the incoming Host header with whatever the backend expects, try adding the hostname with the http-request set-header Host xyz directive in your backend configuration, something like:
backend blabla
http-request set-header Host 7843-qa.apps.c1-testqa.tesdomain.org.com
server app 7843-qa.apps.c1-testqa.tesdomain.org.com
Yes, this will require a complete reconfiguration.
You need to get a SSL certificate for 7843-qa.apps.c1-testqa.tesdomain.org.com, install it on haproxy, and use mode http instead of mode tcp. You will also have to add the ssl keyword to the backend (with a ca-file or verify none for SSL certificate verification).
Also one more update just tried is -
error for backend qa2 - Server qa2/app is DOWN, reason: Layer6 invalid response, info: “SSL handshake failure”, check duration: 36ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
: backend qa2has no server available!
J [12/Jan/2020:15:55:09.208] main qa2/ 4/-1/-1/-1/4 503 212 - - SC-- 0/0/0/0/0 0/0 “GET /” 0A3C2406:7F60_0AF1C219:1AF9_5E1B87AD_0000:21AF