I tried to route https traffic based on acl but it’s not working.
i tried with abns, unix@socket no better.
Any idea?
Why are you looping the connection?
To detect the path and then redirect it, you do the following in your backend.
acl acl_name path /special
redirect location https://host.domain.com/path if acl_name
Redirect is client action I don’t want redirect
Any ideas?
Read/provide logs, this will help to understand:
Does the use_backend rule in the first backend apply to the request and does it successfully select the bk_redirect_fe2 backend?
Does the request arrive at the fe2_443?
Does the use_backend rule in the second layer correctly select the bk_app1 backend, etc.
frontend fe1_443
description FE1 443
option forwardfor
bind *:443 ssl crt /etc/haproxy/certs/haproxy.pem crt-ignore-err all ca-ignore-err all#alpn h2,http/1.1
mode http
log-format FE1\ |\ [%t]|\ %ci:%cp|\ %ft|\ %b/%s|\ %Tw/%Tc/%Tt|\ %B|\ %ts|\ %ac/%fc/%bc/%sc/%rc|\ %sq/%bq|\ %hr|\ %hs|\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_session_id]}|\ “%[capture.req.method]|\ %[capture.req.hdr(0)]|\ %[capture.req.uri]”
acl acl_beg_callback path_beg -i /callback
use_backend bk_redirect_fe2 if acl_beg_callback
default_backend bk_default
frontend fe2_app
description FE2 app
option forwardfor
bind 127.0.0.1:44443 ssl crt /etc/haproxy/certs/haproxy.pem crt-ignore-err all ca-ignore-err all#alpn h2,http/1.1
mode http
log-format FE2\ |\ [%t]|\ %ci:%cp|\ %ft|\ %b/%s|\ %Tw/%Tc/%Tt|\ %B|\ %ts|\ %ac/%fc/%bc/%sc/%rc|\ %sq/%bq|\ %hr|\ %hs|\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_session_id]}|\ “%[capture.req.method]|\ %[capture.req.hdr(0)]|\ %[capture.req.uri]”
acl acl_beg_callback path_beg -i /callback
use_backend bk_callback if acl_beg_callback
default_backend bk_default
backend bk_redirect_fe2
description callback
mode http
server loopback-fe2 127.0.0.1:44443 verify none sni ssl_fc_sni
backend bk_callback
description Claims
balance roundrobin
mode http
default-server inter 3s fall 3 rise 2
timeout server 20s
server www 192.168.166.99:8080 check
backend bk_default
description NULLSRV
timeout connect 1ms
server null 200.200.200.200:6000
LoG
–>haproxy01 haproxy[11165]: FE1 | [17/Jan/2023:12:21:26.374]| 192.168.1.68:62230| fe1_443~| bk_redirect_fe2/loopback-fe2| 0/0/6| 208| SH| 2/2/0/0/0| 0/0| | | {TLSv1.3/TLS_AES_128_GCM_SHA256/app.dom.net/▒*#01W▒▒cp▒▒▒zI▒Y ▒m▒R#030▒&▒{g#030▒r[#034}| GET| -| /callback
–>haproxy01 haproxy[11165]: FE1 | [17/Jan/2023:12:21:26.374]| 192.168.1.68:62231| fe1_443~| bk_default/null| 0/-1/66| 216| sC| 1/1/0/0/3| 0/0| | | {TLSv1.3/TLS_AES_128_GCM_SHA256/app.dom.net/▒▒U▒UÜ~Gi▒▒>.Md/#022▒o▒▒Pm▒ 3^▒▒▒}| GET| -| /favicon.ico
Pass through FE1 → loopback-fe2 but not in FE2
response
502 Bad Gateway
The server returned an invalid or incomplete response.
I founded:
if i bind in frontend fe2_app:
bind *:44443 ssl crt /etc/haproxy/certs/haproxy.pem crt-ignore-err all ca-ignore-err all
backend bk_redirect_fe2
server loopback-fe2 *:44443 ssl verify none sni ssl_fc_sni
it’s working with * but not with abns unix sock or 127.0.0.1