Newbie - Several backends - not redirecting correctly


#1

Hello,

First of all i need to inform that im fairly new to HA Proxy, and is no master at it :slight_smile:

The HA proxy setup consists of 2 nodes, running HA Proxy and Keepalived with at floating IP.

Node01: 192.168.62.98
Node02: 192.168.62.99
Floating: Node01: 192.168.62.100
Exchange Server: 192.168.60.86
V-Center: 192.168.61.100 (VESXI.DOMAIN.COM)

We have 1 public IP adress, and want to use port 443 for several purposes (Exchange, VMware, RDS Gateway, etc…)

About a month ago we moved the Exchange HTTPS to go through the HA Proxy setup, and it worked like a charm! When we tried moving the V-Center server to also go through the V-Center, we realized that when trying to access the V-Center server on a hostname, we were redirected to the Exchange OWA.

Im 100% sure that its a configuration failure at our end, and im pretty sure its because of the frontend setup in the haproxy.cfg
Im sorry to have to disturb regarding this, but i cant figure out how to solve it.

Note - the domain have been replaced with domain.com for security reasons.

Config::::

###################################################################################################

FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND - FRONTEND

###################################################################################################

frontend Exchange_WWW_Frontend
mode tcp
bind 192.168.62.100:443
default_backend BCK_Exchange_HTTPS
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend BCK_RDS_HTTPS if { req_ssl_sni -i remote.domain.com }
use_backend BCK_OWNCLOUD_HTTPS if { req_ssl_sni -i oc.domain.com }
use_backend BCK_APP_HTTPS if { req_ssl_sni -i vmm.domain.com }
use_backend BCK_VCENTER_WEB if { req_ssl_sni -i vesxi.domain.com }
option tcp-smart-accept

###################################################################################################

BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND - BACKEND

###################################################################################################

backend BCK_Exchange_HTTPS
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1EXCH02 192.168.60.86:443 check #ssl verify none

backend BCK_RDS_HTTPS
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1TSGW02 192.168.62.80:443 check #ssl verify none

backend BCK_OWNCLOUD_HTTPS
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1OC02 192.168.60.87:443 check #ssl verify none

backend BCK_APP_HTTPS
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1APP01 192.168.62.81:443 check #ssl verify none

backend BCK_VCENTER_WEB
mode tcp
retries 3
timeout server 300s
timeout connect 10s
server S1VC01 192.168.61.100:443 check #ssl verify none

Thanks in advance


#2

Are you positive your browser accesses those exact hostnames (e.g. https://vesxi.domain.com/), not the IP address and that your browser support sending SNI (no IE6 or Windows XP)?

I would put the default_backend directive after the use_backend setting, because the “default” backend should be definited last, just for readability. I don’t think its required though.


#3

Hello,

Thank you for your repluy :slight_smile:

Im positive that they / i access it through a hostname - and using the latest browsers (Chrome, Firefox, Edge - all updated).

Ive tried to move the default backend after i posted this, and before you replied - but it did nothing good :frowning:


#4

Can you provide the output of haproxy -vv? Also, I suggest you tcpdump the SSL handshake on the haproxy box, to see if the client_hello really contains the server name. I don’t see anything wrong with the configuration itself.


#5

Hello Lukas,

Thanks again for taking the time, to trying to resolve this issue :slight_smile:

HAproxy -vv

HA-Proxy version 1.6.3 2015/12/25
Copyright 2000-2015 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
OPTIONS = USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.8
Compression algorithms supported : identity(“identity”), deflate(“deflate”), raw-deflate(“deflate”), gzip(“gzip”)
Built with OpenSSL version : OpenSSL 1.0.2g-fips 1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g-fips 1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.38 2015-11-23
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Im not sure how to perform a TCP dump of the SSL handshake… could you please provide me with an method to achieve this?


#6

On the haproxy box, start the trace:
tcpdump -pns0 -w ssltrace.cap -i eth0 host 192.168.62.100 and tcp port 443

Then open your browser and go to the HTTPS site to generate traffic.

Stop the trace with Ctrl-C and download ssltrace.cap to your PC. Open ssltrace.cap with Wireshark and check the server_name value in the client_hello packet. That should reveal if the server_name is correct or not.

You can also share the packet capture with us, but you would propably disclose your real domain name at this point.


#7

Hello,

Ive used the following command, because i have a ens160 adapter (VMXnet3) instead of eth0:
tcpdump -pns0 -w ssltrace.cap -i ens160 host 192.168.62.100 and tcp port 443

Ive created the tcpdump, and to me it looks correct…

Any other thoughts?


#8

Hello again,

Ive just tried booting up a new virtual machine, and edited the windows host file, so that all the “backend” records points to the HA Proxy setup.

And when trying to access both oc.domain.com and remote.domain.com, i also get redirected to the Exchange server…

Im not sure ive understood HA Proxy correctly… but what i want to achieve is to be able to use for example port 443 to serve several servers - which i believe ive enabled when entering the if { sni -i } parameter in the configuration file.
But is there a smarter way to achieve this?