Random 503 Issue between ADFS Backends on HAProxy 2.8

Help!
1

Hello everyone,

I am encountering a peculiar issue with my HAProxy 2.8 setup on Ubuntu 24.04. I have two separate backends for ADFS: one for production (adfs) and one for staging (adfsstg). Both backends work fine individually, but I am experiencing random failover issues between them. When one backend is operational, the other intermittently returns a 503 “Service Unavailable” error, and vice versa.

HAProxy Configuration:

frontend https
  bind {{ip_virtual_keepalived1}}:443 ssl crt {{wildcard_2023_2024}}
  mode http
  redirect scheme https if !{ ssl_fc }
  use_backend {{backend_passwordreset}} if { hdr(host) -i {{sitename_passwordreset}} }
  use_backend {{backend_adfs}} if { hdr(host) -i {{sitename_adfs}} }
  use_backend {{backend_adfsstg}} if { hdr(host) -i {{sitename_adfsstg}} }
  use_backend {{backend_tagetikprod}} if { hdr(host) -i {{sitename_tagetikprod}} }
  use_backend {{backend_tagetiktest}} if { hdr(host) -i {{sitename_tagetiktest}} }
  use_backend {{backend_jiratest}} if { hdr(host) -i {{sitename_jiratest}} }
  use_backend {{backend_confluencetest}} if { hdr(host) -i {{sitename_confluencetest}} }
  use_backend {{backend_jiraprod}} if { hdr(host) -i {{sitename_jiraprod}} }
  use_backend {{backend_confluenceprod}} if { hdr(host) -i {{sitename_confluenceprod}} }

Backend ADFS:

backend {{backend_adfs}}
  balance roundrobin
  mode http
  http-request deny if !{ src -f {{acl_offices}} } !{ src -f {{acl_external_adfs}} }
  acl red_adfs_prd path -i /
  acl domain_adfs_prd hdr(host) -i adfs.example.com
  redirect code 301 location https://adfs.example.com/adfs/ls/IdpInitiatedSignOn.aspx if domain_adfs_prd red_adfs_prd
  server {{name_adfs_server1}} {{ip_adfs_server1}}:{{port_adfs_server1}} ssl verify none check check-sni adfs.example.com sni ssl_fc_sni inter 3s rise 2 fall 3
  server {{name_adfs_server2}} {{ip_adfs_server2}}:{{port_adfs_server2}} ssl verify none check check-sni adfs.example.com sni ssl_fc_sni inter 3s rise 2 fall 3

Backend ADFS STG:

backend {{backend_adfsstg}}
  balance roundrobin
  mode http
  http-request deny if !{ src -f {{acl_offices}} }
  acl red_adfs_stg path -i /
  acl domain_adfs_stg hdr(host) -i adfsstg.example.com
  redirect code 301 location https://adfsstg.example.com/adfs/ls/IdpInitiatedSignOn.aspx if domain_adfs_stg red_adfs_stg
  server {{name_adfsstg_server1}} {{ip_adfsstg_server1}}:{{port_adfsstg_server1}} ssl verify none check check-sni adfsstg.example.com sni ssl_fc_sni inter 3s rise 2 fall 3
  server {{name_adfsstg_server2}} {{ip_adfsstg_server2}}:{{port_adfsstg_server2}} ssl verify none check check-sni adfsstg.example.com sni ssl_fc_sni inter 3s rise 2 fall 3

Issues Observed:

  1. When adfs is operational, adfsstg returns a 503 error and vice versa.
  2. The 503 error appears randomly and is not consistent.
  3. I have verified that SSL certificates and network configurations are correct.\

I need assistance in identifying the cause of this erratic behavior. Are there any specific configurations I might have overlooked or known issues with the HAProxy version I am using?
I have several other backends configured and this only happens with ADFS.

Thank you in advance for your help!

2

http://docs.haproxy.org/2.8/configuration.html#5.2-sni

The “sni” parameter evaluates the sample fetch expression, converts it to a string and uses the result as the host name sent in the SNI TLS extension to the server. A typical use case is to send the SNI received from the client in a bridged TCP/SSL scenario, using the “ssl_fc_sni” sample fetch for the expression. THIS MUST NOT BE USED FOR HTTPS, where req.hdr(host) should be used instead, since SNI in HTTPS must always match the Host field and clients are allowed to use different host names over the same connection).

You need to replace sni ssl_fc_sni with sni req.hdr(host) on the backend server lines.

1 Like
3

Hi Lukastribus, you are the best!!! Thank you very much you have solved my problem :blush:

1 Like