HAProxy community

Multiple backend

Hello,

to be better in my explanation, i need to explain ma infrastructure :slight_smile:

I have 5 virtuals servers : Bitwarden, Jira, Confluence, Owncloud and the HAProxy.

I use a DNS with my nas synology (like xxx.synology.me). Actually to have an access to each server, i opened each port on the router except for bitwarden.

Owncloud is configured on HTTPS, Bitwarden too.
Confluence and Jira use the port 9000 and 8080 on HTTP. (Jira and confluence have a context path. /jira and /confluence)

Acually, to access to confluence, it’s like this : https://xxx.synology.me:9000/confluence

I would use the port 443 for all server.

https://xxx.synology.me/confluence
https://xxx.synology.me/jira
https://xxx.synology.me/owncloud
https://xxx.synology.me/bitwarden

Actually, the configuration on Haproxy i tested :slight_smile:

frontend www.mysite.com
    bind *:443 ssl crt /etc/ssl/private/mydomain.pem

    acl url_bitwarden path_end bitwarden
    use_backend bitwarden if url_bitwarden


    acl url_jira path_end jira
    use_backend jira if url_jira


    http-request redirect scheme https unless { ssl_fc }
    default_backend web_servers




backend bitwarden
    balance roundrobin
    server bitwarden 192.168.0.123:443 check maxconn 20 ssl verify none


backend jira
    balance roundrobin
    server jira 192.168.0.124:8080/jira check maxconn 20


backend web_servers
    balance roundrobin
    server server1 192.168.0.122:443 check maxconn 20 ssl verify none

If i trying to access to https://xxx.synology.me/ => I have the access to owncloud
But https://xxx.synology.me/bitwarden not working
https://xxx.synology.me/jira not working.

If i replace this line => (Ip of bitwarden)

backend web_servers
balance roundrobin
server server1 192.168.0.123:443 check maxconn 20 ssl verify none

I accessed at bitwarden. When i use the path_end, it’s not working. Something is wrong…

Can you help me? I hope it’s clear for you :slight_smile:

Provide the entire configuration please, defaults and global section included, as they are important.

Why would you use path_end? You should be using path_beg including the leading slash, also don’t forget “mode http” in the default sections.

frontend www.mysite.com
    mode http
    bind *:443 ssl crt /etc/ssl/private/mydomain.pem

    acl url_bitwarden path_beg /bitwarden
    use_backend bitwarden if url_bitwarden


    acl url_jira path_beg /jira
    use_backend jira if url_jira

Trying to make applications work under “sub paths” can be a fight against windmills because it requires that the application developer supports this scenario (or does not use any techniques that conflict with it).
And suddenly you may end up with e.g. a generally working application but broken links.

I’d always suggest to use a 1:1 between domains and services. So you can just point another subdomain to your Synology IP (or via CNAME to the existing hostname) and then use HAproxy frontend configuration to tell requests for different services apart (using ssl_fc_sni) and route them to their specific backend.

I agree, expect for the last part: Never use SNI unless you absolutely have to. Use the Host header, that is what the Host header is for.

Using SNI will causes issues when you have SANs and different serivces on the same certificate.

Hello,

can you explain please in my case (for bitwarden) how use it for bitwarden ? Actually to access to bitwarden, i need to go in https://192.168.0.123/ . How can i create a subdomain with my Synology IP ? It’s just a dns name created on Synology, i cannot modify it.

In Haproxy, it’s an error to put the local IP of Bitwarden (or Jira, or … ) ?
Thanks ! (sorry for the late)

Hello it’s solved but i use only haproxy for jira and confluence and now all works !

Here the full config
frontend www.mysite.com

bind *:443 ssl crt /etc/ssl/private/nastrolom.pem

mode http

acl url_bitwarden path_beg /bitwarden

use_backend bitwarden if url_bitwarden



acl url_jira path_beg /jira

use_backend jira if url_jira



acl url_confluence path_beg /confluence

use_backend confluence if url_confluence


http-request redirect scheme https unless { ssl_fc }

default_backend web_servers

backend bitwarden

balance roundrobin

server bitwarden 192.168.0.123:443 check maxconn 20 ssl verify none

backend confluence

server confluence 192.168.0.121:8090/confluence check maxconn 20

backend jira

server jira 192.168.0.124:8080/jira check maxconn 20

backend web_servers

balance roundrobin

server server1 192.168.0.122:443 check maxconn 20 ssl verify none