Redirect Subdomains to multiple backends

Hey Guys,
i am from Germany and need your help… I am new to HAProxy.
I tried the folowing setup and failed hardly, i read through this forum and through the documentation, and cant really figure out, what my problem is.

Following Scenario:
We have multiple Sites. All Sites have a Synology NAS (DDNS) behind a Firewall. We want people to access the Synology Photostation, without getting easily the IP of the Site.
We have one main Site with a PfSense Firewall. The IP Adress of this Site is not rly Critical, so we can expose this IP.

Lets take for given:
Site 1: Main Site with domain
Site 2:
Site 3:
Site 4:
Site 5:
Site 6:
Site 7:
So our preffered Route would be:

The Customer types: → PfSenseFirewall → HAProxy →

All Firewalls have been configured correctly and also have been NATTED (Where it needed to be done). I am quite familiar with Firewalls and rules, so the issue is not here.

We configured the PfSense HAProxy Frontend like this:

WANadress Port 443 with SSL Offloading

ACL Frontend: use Backend site2 use Backend site3 use Backend site4 use Backend site5 use Backend site6 use Backend site7

We configured multiple Backends like this:

Backend Site2:

Server Port 12345 Encrypt SSL Name Site2

Thats it…
We either dont get a connection at all, or when we play arround with the settings we get a Error 400.

I really thought it would be just as “easy” as it sounds… but thats why i am here now, to learn how it should be done correctly :slight_smile:

Pls tell me what you think about it, what you would do different (and why), and where my thinking is wrong :slight_smile:

Mahlzeit and Hello,

We have a very similar problem that the ACL’s don’t seem to work at all or that we get a Error 400.

If no ACL’s are activated in TCP mode and only one Backend is Used it works just fine, same for HTTP-mode if just one backend is specified as a default backend. As soon as we change from TCP mode to HTTP and activate the ACL’s with the following config the ACL’s dont seem to filter the subdomain. All traffic is lost and nothing reaches the backends. The backend servers are reachable over localhost and the external interface.

frontend site1_stuff
mode http
bind :443
acl host_server1 hdr(host) -i site1.domain.tld
acl host_server2 hdr(host) -i site2.domain.tld
use_backend server1 if host_server1
use_backend server2 if host_server2

backend server1
mode http
server backend1 check

backend server2
mode http
server backend1 check

The HAProxy errorlog shows us this:

timestamp hostname1 haproxy[2741]: [xx/xxx/2023:06:27:21.783] site1_stuff site1_stuff/ -1/-1/-1/-1/0 400 0 - - PR-- 1/1/0/0/0 0/0 “”

We really can’t figure out what is going wrong.

Thanks for any advice in advance.