HAProxy community

Simple HTTPS Reverse Proxy doesnt work

Hi,

after hours of searching and following sites like https://www.ssltrust.com.au/help/setup-guides/haproxy-reverse-proxy-setup-guide and https://discourse.haproxy.org/t/why-does-my-simplified-config-not-work-1-8-tcp-reverse-proxy-with-domain-name-checks/2448
i still can’t figure out, why haproxy won’t pass through https-requests:

My Setup:
domain1.com -------->:80, :443 1.2.3.4 ------> :81, :444 haproxy on pi1 --> :80, :443 pi1
else -------->:80, :443 1.2.3.4 ------> :81, :444 haproxy on pi1 --> :80, :443 pi2

so i have 2 domains, pointing to one ip, but should be handled by a separate raspberrypi, depending on the url.

pi1 is the target and the HAproxy host at the same time, which is why the apache webserver listens to ports 80 and 443, haproxy to 81 and 444.

The config of HAproxy:

global
        log /dev/log    local0 debug
        log /dev/log    local1 debug
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s


defaults
        log     global
        mode    tcp
        option  tcplog
        timeout connect 5000
        timeout client  50000
        timeout server  50000

backend pi2 _80
        mod http
        balance roundrobin
        server pi2  pi2 :80 check

backend pi2_443
        mode tcp
        balance roundrobin
        option ssl-hello-chk
        server pi2  pi2 :443 check

backend pi1_80
        mode http
        balance roundrobin
        server pi11 pi1:80

backend pi1_443
        mode tcp
        balance roundrobin
        option ssl-hello-chk
        server pi11 pi1:443 check

frontend http
 mode http
 bind :81
 use_backend pi2_80 if { hdr(host) -i domain2.com }
 default_backend pi1_80

frontend https
 mode tcp
 bind :444
 tcp-request inspect-delay 5s
 tcp-request content accept if { req_ssl_hello_type 1 }
 use_backend pi2_443 if { req_ssl_sni -i domain2.com }
 default_backend pi1_443

More info:

My modem redirects from port 80 to 81, if it forwards directly to one of the two apache2 servers, it works perfectly fine.

When using curl -vvkl pi1 and curl -vvkl pi2 the apacheserver redirects from port :80 to port :443 and works perfectly fine. So the problem defenitely is haproxy here, but i cant figure out why.

haproxy -c -f /etc/haproxy/haproxy.cfg shows Configuration file is valid

changing the hostnames to IPs does not make a difference

Thanks for the help

You forget to mention what actually happens, how it fails? Maybe add some curl -vv output that shows the failure?