HAProxy community

Nbsrv and tcp-request connection reject not working in TCP mode


I am using haproxy in passthrough mode(TCP), I want to stop accepting TCP connection if all my backend servers are down. I have shut down all my backend servers and backup servers to test this, but still, tcp connection is accepted with SSL error (Unable to establish SSL connection). I want to reject all connections to haproxy if no backend server.

here is my config.

frontend xyzul-in
bind *:443
mode tcp
option tcplog
timeout client 10m
acl application_1_reject nbsrv(xyz-pops) eq 0
tcp-request connection reject if { req_ssl_sni -i uploadcc.xyz.com }
acl application_2_reject nbsrv(xyz-pops-download) eq 0
tcp-request connection reject if application_2_reject
acl application_37_reject nbsrv(xyz-zmupload) eq 0
tcp-request connection reject if application_37_reject
acl application_38_reject nbsrv(xyz-zmdownload) eq 0
tcp-request connection reject if application_38_reject
acl application_41_reject nbsrv(xyz-usrec3) eq 0
tcp-request connection reject if application_41_reject
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl application_1 req_ssl_sni -i uploadcc.xyz.com
use_backend xyz-pops if application_1
acl application_2 req_ssl_sni -i downloadcc.xyz.com
use_backend xyz-pops-download if application_2
acl application_37 req_ssl_sni -i upload.xyz.com
use_backend xyz-zmupload if application_37
acl application_38 req_ssl_sni -i download.xyz.com
use_backend xyz-zmdownload if application_38
acl application_41 req_ssl_sni -i rec3.xyz.com
use_backend xyz-usrec3 if application_41

You ARE rejecting the TCP connection.

However the listening socket is still bound and the kernel will still complete 3 way handshakes.

I think what you are asking is to disable the frontend socket in this situations, which is something that comes up every now and then, but it’s not really that easy to implement correctly.

A feature request for this has been filed here: