HAProxy community

Multiple port 443 backends - TCP mode


#1

currently im listening on port 443 in TCP mode and my attached backend is moving the traffic to an api on port 443 on the server. no issues there.
I need to have the front end thats listening on port 443 to now have 2 backends and an acl that uses the second backend only when the request is servername/oauth

this second backend will also forward to a server on port 443 ( a different server of course )

I have seen the acl rules for http requests but havent found a good example for port 443.

thanks for any help


#2

TCP mode without TLS termination I assume? You need to make sure that they don’t have overlapping certificates, then you can content switch based on the SNI value, something like this:

frontend port443
    bind :443
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    use_backend backend1 if { req_ssl_sni -i backend1.example.org }
    use_backend backend2 if { req_ssl_sni -i backend2.example.org }

#3

thanks. for our architecture they are using the same cert.
is there a way to do an acl like so ?

frontend api
bind *:443 npn spdy/2 alpn h2,http/1.1
mode tcp
acl acl_oauth path -i /oauth
use_backend backend_oauth if acl_oauth
default_backend api_backend


#4

You can do it if the certificate is configured on haproxy, terminating TLS there and using haproxy in http mode. Then you can just use the Host header or something like the path (matching /oauth) there.

But you have to decrypt the traffic at haproxy to do this.

That’s incorrect, you cannot use SSL feature like npn or alpn when your are not terminating SSL.