HAProxy community

Reverse Proxy - Hide port in response

Hello everybody,

I am trying to use haproxy to redirect traffic based on the url to different traefic instances in docker containers.

The goal is to overcome shortcomings of traefic in handling multiple dns challenge configurations within one instance.

My problem:

The goal:

Thank you very much for any help with this!

Configurations and Setup:

The setup looks like this:

                             +----------+
                             |          |
+----------------------+     | ATraefik |
|                      |     |          |
|          ADomain.com +<--->+----------+
|haproxy               |
|          BDomain.com +<--->+----------+
|                      |     |          |
+----------------------+     | BTraefik |
                             |          |
                             +----------+

frontend https_in
    bind *:443

    acl host_a hdr(host) -i ADomain.com
    acl host_b hdr(host) -i BDomain.com   

    use_backend a_websecure if host_a
    use_backend b_websecure if host_b

backend a_websecure
    server a_traeifk a_traefik:444

backend b_websecure
    server b_traeifk b_traefik:445

There is no Host header accessible here, because you are passing SSL through.

So you need to have non-overlapping certificates and route based on SNI, like:

frontend https_in
 bind *:443

 tcp-request inspect-delay 5s
 tcp-request content accept if { req_ssl_hello_type 1 }
 
 acl host_a req_ssl_sni -i ADomain.com
 acl host_b req_ssl_sni -i BDomain.com   

 use_backend a_websecure if host_a
 use_backend b_websecure if host_b
1 Like

Thank you very much for your help. This brought me a big step closer to the solution. I managed to make it work with one domain with the following setup.

frontend https_in
    bind *:443
    mode tcp
    default_backend a_websecure

Then all ssl handling is done by the traefik container in the backend.

Wehn I try to work with the acl like @lukastribus suggested ssl seems to be handeled by haproxy with errors.

Minimal config:

frontend https_in
    bind *:443
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    acl host_a ssl_fc-sni -i ADomain.com   
    use_backend a_websecure if host_a
curl -kv https://Adomain.com

*   Trying 78.46.70.220:443...
* Connected to ADomain.com (78.46.70.220) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ADomain.com:443 
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to ADomain.com

Any help is appreciated. Thank you in advance.

Sorry, I mixed up the keywords.

Please use req_ssl_sni instead, so

acl host_a req_ssl_sni -i ADomain.com
1 Like

This actually worked, but I haven’t quite yet reached my goal as I want do serve various services on subdomains on these domains.

If I understand the documentation correctly it is noch possible to have a wildcard match like:

acl host_a req_ssl_sni -i *.ADomain.com

Am I correct? Is there a work around?

-m end can be used for this (first ACL line is used for the exact match of ADomain.com, second line for all subdomains):

acl host_a req_ssl_sni -i ADomain.com
acl host_a req_ssl_sni -i -m end .ADomain.com

This is important because -m end ADomain.com would match other domains such us HowAboutADomain.com.

1 Like

Made my day! Thank you very much!

1 Like