HAProxy community

Random ACL missmatch

Hey there,

I’m running haproxy 2.0.14-1~bpo10+1 2020/04/16.

I’m encountering the error, that in one request all ACL’s work just fine. And if I or someone else reloads the site or connects for the first time, the ACL’s wont work anymore.
This is random. Sometimes it works sometimes it doesn’t.

I’m running not running any SSL/TLS Certificate on the haproxy.

I’m not sure what can cause this.
Here’s my config:

global
        log /dev/log    local0 info
        log /dev/log    local1 info
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
#       ca-base /etc/ssl/certs
#       crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http




frontend server_http
        bind *:80

        #acl's

                ##sahnee public stuff
                #sahnee.de
                acl is_sahneedehttp hdr(host) -i sahnee.de
                acl is_sahneedehttp1 hdr(host) -i www.sahnee.de

                #sahnee.dev
                acl is_autodiscover hdr(host) -m beg -i autodiscover.sahnee.dev
                acl is_autodiscover2 hdr(host) -i autodiscover.sahnee.dev
                acl is_autodiscover3 hdr_beg(host) -i autodiscover.sahnee.dev
                acl is_autodiscover4 hdr(host) -m sub -i Autodiscover.xml
                acl is_autodiscover5 hdr(host) -m dom -i autodiscover.sahnee.dev
                acl is_sahneedevhttp hdr(host) -i sahnee.dev
                acl is_sahneedevhttp1 hdr(host) -i www.sahnee.dev
                ##sahnee internal stuff

                ##other stuff

        #custom backends
        use_backend autodiscover_http if is_autodiscover
        use_backend autodiscover_http if is_autodiscover2
        use_backend autodiscover_http if is_autodiscover3
        use_backend autodiscover_http if is_autodiscover4 or is_autodiscover5
        use_backend sahneeserverhttp if is_sahneedevhttp or is_sahneedevhttp1 or is_sahneedehttp or is_sahneedehttp1
        #Default Backend
        default_backend hosting_defaulthttp

frontend server_https
        mode tcp
        bind *:443
        option tcplog
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }

        #acl's

                ##sahnee stuff
                acl is_sahneedev req_ssl_sni -i sahnee.dev
                acl is_sahneedev1 req_ssl_sni -i www.sahnee.dev
                acl is_sahneede req_ssl_sni -i sahnee.de
                acl is_sahneede1 req_ssl_sni -i www.sahnee.de
                acl is_autodiscover req.ssl_sni -m beg -i autodiscover.sahnee.dev
                acl is_autodiscover2 req.ssl_sni -i autodiscover.sahnee.dev
                acl is_autodiscover3 req.ssl_sni -m sub -i Autodiscover.xml
                ##sahnee internal stuff
                acl is_vault req.ssl_sni -i vault.sahnee.internal
                ##other stuff

        #other backends
        use_backend vault_https if is_vault
        use_backend sahneeserverhttps if is_sahneedev or is_sahneedev1 or is_sahneede or is_sahneede1
        use_backend autodiscover_https if is_autodiscover or is_autodiscover2 or is_autodiscover3

        #Default Backend
        default_backend hosting_defaulthttps

backend hosting_defaulthttp
        http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
        server websrv02 10.12.10.118

backend hosting_defaulthttps
        mode tcp
        server websrv02https 10.12.10.118

backend sahneeserverhttps
        mode tcp
        server websrv01 10.12.10.10

backend sahneeserverhttp
        server websrv01 10.12.10.10

#internal servers
backend autodiscover_http
        server exchange_http 10.11.10.106

backend autodiscover_https
        mode tcp
        server exchange_https 10.11.10.106

backend vault_https
        mode tcp
        server vault 10.11.10.105:8200

so far I think I’ve tried a whole lot…
Thats why some things look strange and the autodiscover acls are mixed up.

Thanks ahead for any help

Which ACLs are not working? Have you checked the logs? Have you taken out all the other ACLs and work with only the ones that are failing to drill down? From the above description, it is not clear what is failing. It is only your config file.

@void_in
Oh silly me…

The ACL’s that don’t work are in the frontend server_http is_autodiscover to is_autodiscover5
Non of them works, thats why there are so many.
I would prefer only one or two but yea…

Is autodiscover run over http or https? If it is https, you need to terminate the connection on HAProxy before you are able to read the host header.

If it is indeed plain http, what happens with the following

frontend server_http
bind *:80
mode http
option httplog
acl is_autodiscover hdr(host) -i autodiscover.sahnee.dev
use_back autodiscover_http if is_autodiscover
default_backend hosting_defaulthttp

backend hosting_defaulthttp
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
server websrv02 10.12.10.118

backend autodiscover_http
server exchange_http 10.11.10.106:80 check

If it fails, take a look at the logs as well as tcpdump of the traffic. Since it is http, examine the host header of the HTTP packet and see if it is indeed autodiscover.sahnee.dev

Take out all the other configs and test with the plain http autodiscover first.

Autodiscover runs via HTTP and HTTPS.
I will try this configuration and tell you what happens

I’m encountering a strange error/misbehaviour.

I’ve now commented our every ACL, Frontend and Backend except for the autodiscover ones. But all other services are still available?!
I even get entries to the haproxy log.

I’m not an extert, but how can haproxy apply rules that dont exist?

Just to clarify. I edit /etc/haproxy/haproxy.conf and after I finished editing I test my config with sudo haproxy -f /etc/haproxy/haproxy.cfg -c and afterwards I restart the service systemctl restart haproxy.

I think either I messed up something here or my haproxy is just broken or something like that…

Sounds to me like you have an parallel instance running in the background with an old configuration.

I suggest you stop haproxy

systemctl stop haproxy

Then try if something is still responding. If it is, you have another instance running. Kill all remaining haproxy processes and start it cleanly.