nando
July 15, 2020, 3:24pm
1
Hello everybody,
I am trying to use haproxy to redirect traffic based on the url to different traefic instances in docker containers.
The goal is to overcome shortcomings of traefic in handling multiple dns challenge configurations within one instance.
My problem:
Redirect to ATraefik and BTraefik works, as well as the letsencryptsetup in both and the services running behind ATraefik and BTraefik.
But the running services have the Port in the URLs e.g.
The goal:
I would like to have the services behind ATraefik and BTraefik respond without the Ports in the URL, that is:
Thank you very much for any help with this!
Configurations and Setup:
The setup looks like this:
+----------+
| |
+----------------------+ | ATraefik |
| | | |
| ADomain.com +<--->+----------+
|haproxy |
| BDomain.com +<--->+----------+
| | | |
+----------------------+ | BTraefik |
| |
+----------+
frontend https_in
bind *:443
acl host_a hdr(host) -i ADomain.com
acl host_b hdr(host) -i BDomain.com
use_backend a_websecure if host_a
use_backend b_websecure if host_b
backend a_websecure
server a_traeifk a_traefik:444
backend b_websecure
server b_traeifk b_traefik:445
There is no Host header accessible here, because you are passing SSL through.
So you need to have non-overlapping certificates and route based on SNI, like:
frontend https_in
bind *:443
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl host_a req_ssl_sni -i ADomain.com
acl host_b req_ssl_sni -i BDomain.com
use_backend a_websecure if host_a
use_backend b_websecure if host_b
1 Like
nando
July 18, 2020, 10:42am
3
Thank you very much for your help. This brought me a big step closer to the solution. I managed to make it work with one domain with the following setup.
frontend https_in
bind *:443
mode tcp
default_backend a_websecure
Then all ssl handling is done by the traefik container in the backend.
Wehn I try to work with the acl like @lukastribus suggested ssl seems to be handeled by haproxy with errors.
Minimal config:
frontend https_in
bind *:443
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl host_a ssl_fc-sni -i ADomain.com
use_backend a_websecure if host_a
curl -kv https://Adomain.com
* Trying 78.46.70.220:443...
* Connected to ADomain.com (78.46.70.220) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ADomain.com:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ADomain.com
Any help is appreciated. Thank you in advance.
Sorry, I mixed up the keywords.
Please use req_ssl_sni instead, so
acl host_a req_ssl_sni -i ADomain.com
1 Like
nando
July 18, 2020, 3:13pm
5
This actually worked, but I haven’t quite yet reached my goal as I want do serve various services on subdomains on these domains.
If I understand the documentation correctly it is noch possible to have a wildcard match like:
acl host_a req_ssl_sni -i *.ADomain.com
Am I correct? Is there a work around?
-m end can be used for this (first ACL line is used for the exact match of ADomain.com , second line for all subdomains):
acl host_a req_ssl_sni -i ADomain.com
acl host_a req_ssl_sni -i -m end .ADomain.com
This is important because -m end ADomain.com would match other domains such us HowAboutADomain.com.
1 Like
nando
July 18, 2020, 4:20pm
7
Made my day! Thank you very much!
1 Like