Hi guys,
I’m a bit stuck with my HAProxy config. It works perfectly fine for HTTPS and nicely redirects the traffic and although it redirects HTTP traffic as well, I see following error in my logs before it does and I assume that this is the reason why my backend servers Let’sEncrypt certificate renewals fail (I need to run them with a DNS challenge to get them to renew)
Error: webservice80 webservice80/ 0/-1/-1/-1/0 301 172 - - LR-- 2/1/0/0/0 0/0 "GET /.well-known/acme-challenge
Setup:
- Dedicated HAProxy (ALOHA Image) which terminates all the traffic from the net
- 3 backend servers with one subdomain and own SSL cert each:
Here is my config:
frontend webservice80
bind 0.0.0.0:80 name http #alctl: listener http configuration.
mode http #alctl: load balancing algorythm
log global #alctl: log activation
option httplog #alctl: log format
timeout client 25s #alctl: client inactivity timeout
maxconn 1000 #alctl: connections maximum
redirect scheme https code 301 if !{ ssl_fc }
frontend webservice443
bind 0.0.0.0:443 #alctl: listener https configuration.
mode tcp #alctl: load balancing algorythm
log global #alctl: log activation
option tcplog #alctl: log format
timeout client 25s #alctl: client inactivity timeout
maxconn 1000 #alctl: connections maximum
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 5s
tcp-request content accept if tls
acl is_game req.ssl_sni -i game.example.com
acl is_cloud req.ssl_sni -i cloud.example.com
acl is_stats req.ssl_sni -i stats.example.com
use_backend cloud_cluster if is_cloud
use_backend game_cluster if is_game
use_backend stats_cluster if is_stats
backend cloud_cluster
mode tcp
option ssl-hello-chk
server is_cloud 192.168.0.2:443
backend game_cluster
mode tcp
option ssl-hello-chk
server is_game 192.168.0.3:443
backend stats_cluster
mode tcp
option ssl-hello-chk
server is_stats 192.168.0.4:443
Any help is highly apprechiated !! Thanks a ton !