SNI HTTPS Redirection

bluex · December 4, 2019, 1:31pm

Hi:

I’m using now haproxy v.1.7 for redirect HTTPS requests, but I have problem with the following
I want to recognize any subdomain that comes for test123.com as an example and forwarded to the same URL
In my case, I don’t know the subdomains for put it in the configuration for that is there any way to put it as a variable or something like that.

Explain the config:

...

acl subdomain_is_test req_ssl_sni -i [any subdomain that come to him from this domain].test123.com

use_backend bknd_snipt_test if subdomain_is_test

backend bknd_snipt_test
      mode tcp
      server snipt-test [any subdomain that come to him from this domain].test123.com:443

Thanks

lukastribus · December 4, 2019, 1:52pm

You need runtime DNS resolution of variables, which you can do only in Haproxy 2.0:

https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4.2-http-request%20do-resolve

bluex · December 4, 2019, 1:55pm

First of all, thank you so much for your answer, Can you help me with farther information for modify my configuration, thanks in advance.

lukastribus · December 4, 2019, 2:02pm

Can you upgrade to haproxy 2.0? Because it will not work in haproxy 1.7.

bluex · December 4, 2019, 2:14pm

I will try to upgrade it, My OS is Centos, but what about the config

lukastribus · December 4, 2019, 2:23pm

The config is what I linked above, the exception that you replace

http-request do-resolve(txn.myip,mydns,ipv4) hdr(Host),lower

with:

http-request do-resolve(txn.myip,mydns,ipv4) req_ssl_sni,lower

bluex · December 4, 2019, 3:09pm

I upgraded the haproxy to 2.0

and put this configuration

resolvers mydns
  nameserver local 127.0.0.53:53
  nameserver google 8.8.8.8:53
  timeout retry   1s
  hold valid 10s
  hold nx 3s
  hold other 3s
  hold obsolete 0s
  accepted_payload_size 8192

frontend fe
  bind *:443
  http-request do-resolve(txn.myip,mydns,ipv4) req_ssl_sni,lower
  http-request capture var(txn.myip) len 40

  # return 503 when the variable is not set,
  # which mean DNS resolution error
  use_backend b_503 unless { var(txn.myip) -m found }

  default_backend be

backend b_503
  # dummy backend used to return 503.
  # one can use the errorfile directive to send a nice
  # 503 error page to end users

backend be
  # rule to prevent HAProxy from reconnecting to services
  # on the local network (forged DNS name used to scan the network)
  http-request deny if { var(txn.myip) -m ip 127.0.0.0/8 10.0.0.0/8 }
  http-request set-dst var(txn.myip)
  server clear 0.0.0.0:0

but the service down and refuse to start up
Did I make any mistakes in the configuration?

lukastribus · December 4, 2019, 3:21pm

It’s an example configuration. You have to adapt it for your environment, copy&pasting is not enough, read and understand it first.

Are resolvers correctly configured?

bluex · December 4, 2019, 3:34pm

I used the following configuration, the service running but it’s not forward https requests

global
   log /dev/log local0
   log /dev/log local1 notice
   chroot /var/lib/haproxy
   stats timeout 30s
   user haproxy
   group haproxy
   daemon

defaults
   log global
   mode tcp
   option httplog
   option dontlognull
   timeout connect 5000
   timeout client 50000
   timeout server 50000

resolvers mydns
  nameserver google 8.8.8.8:53
  timeout retry   1s
  hold valid 10s
  hold nx 3s
  hold other 3s
  hold obsolete 0s
  accepted_payload_size 8192

frontend fe
  bind *:443
  http-request do-resolve(txn.myip,mydns,ipv4) req_ssl_sni,lower
  http-request capture var(txn.myip) len 40

  default_backend be


backend be
  http-request set-dst var(txn.myip)

Any suggestions, please?

lukastribus · December 4, 2019, 3:40pm

You are missing the server configuration.

Then, I suggest you provde the output of running curl -vv ... against haproxy, the output of haproxy -vv and the output of the haproxy log.

bluex · December 4, 2019, 3:51pm

For the server response when I did curl

* Expire in 0 ms for 6 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 1 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
* Expire in 0 ms for 1 (transfer 0x55e626cd3f50)
*   Trying 192.168.1.119...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55e626cd3f50)
* Connected to yahoo.com (192.168.1.119) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to yahoo.com:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to yahoo.com:443

For Haproxy tcpdump

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
10:49:52.679311 IP 192.168.1.117.47070 > localhost.localdomain.https: Flags [S], seq 1005535813, win 29200, options [mss 1460,sackOK,TS val 985724504 ecr 0,nop,wscale 7], length 0
10:49:52.679400 IP localhost.localdomain.https > 192.168.1.117.47070: Flags [S.], seq 1536868828, ack 1005535814, win 28960, options [mss 1460,sackOK,TS val 2801557 ecr 985724504,nop,wscale 7], length 0
10:49:52.679603 IP 192.168.1.117.47070 > localhost.localdomain.https: Flags [.], ack 1, win 229, options [nop,nop,TS val 985724505 ecr 2801557], length 0
10:49:52.679993 IP localhost.localdomain.https > 192.168.1.117.47070: Flags [F.], seq 1, ack 1, win 227, options [nop,nop,TS val 2801557 ecr 985724505], length 0
10:49:52.680860 IP 192.168.1.117.47070 > localhost.localdomain.https: Flags [P.], seq 1:518, ack 2, win 229, options [nop,nop,TS val 985724506 ecr 2801557], length 517
10:49:52.680907 IP localhost.localdomain.https > 192.168.1.117.47070: Flags [R], seq 1536868830, win 0, length 0
10:49:52.680919 IP 192.168.1.117.47070 > localhost.localdomain.https: Flags [F.], seq 518, ack 2, win 229, options [nop,nop,TS val 985724506 ecr 2801557], length 0
10:49:52.680926 IP localhost.localdomain.https > 192.168.1.117.47070: Flags [R], seq 1536868830, win 0, length 0
10:49:57.440416 ARP, Request who-has 192.168.1.117 (08:00:27:a3:cf:9e (oui Unknown)) tell 192.168.1.118, length 46
10:49:57.440841 ARP, Reply 192.168.1.117 is-at 08:00:27:a3:cf:9e (oui Unknown), length 46

lukastribus · December 4, 2019, 4:00pm

Please read my post again and provide the outputs exactly as requested. Do not remove part of it. With haproxy logs I mean the logs that haproxy emits, not a tcpdump.

bluex · December 4, 2019, 4:49pm

OK, please give me some time to do it.

bluex · December 5, 2019, 7:11am

I’m sorry for late, but I want to make sure that I did everything right by the server-side.
I’m using now CentOS 7 and for logging, I did these steps:

I added the following line in haproxy config

log 127.0.0.1 local2 info

After that, I edited my rsyslog service configuration like this

# line 15,16: uncomment, lne 17: add
$ModLoad imudp
$UDPServerRun 514
$AllowedSender UDP, 127.0.0.1
# line 54: change like follows
*.info;mail.none;authpriv.none;cron.none,local2.none   /var/log/messages
local2.*                                                /var/log/haproxy.log

And after that, I restart the two services.
In the haproxy log I have only these logs when I tried to use curl without any other response:

Dec  4 17:16:24 localhost haproxy[13121]: Proxy fe started.
Dec  4 17:16:24 localhost haproxy[13121]: Proxy be started.
Dec  4 17:16:24 localhost haproxy: Starting haproxy: [  OK  ]

I tried to change the logging type in haproxy config like this:

log 127.0.0.1 local2 notice # and also I tried debug

But the same result in the log, nothing appears when I use curl to the server.
For making sure that is not network issue my netstat -ntlp command gives me this result

Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode      PID/Program name
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      0          18833      1342/master
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      0          4278342    13122/haproxy
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      0          18104      1104/sshd
tcp6       0      0 ::1:25                  :::*                    LISTEN      0          18834      1342/master
tcp6       0      0 :::22                   :::*                    LISTEN      0          18113      1104/sshd

And the request comes to the server because I see it in tcpdump.

I thought that was a problem in my system and in rsyslog service, but when I changed the configuration for haproxy to default one and use it as a load balancer for test simple thing the log working and I have results in the log file.

Really thank you for your time, but can you give me you advice because I spent all night in order to know where is my mistake and I couldn’t know.
Thanks in advance.

bluex · December 5, 2019, 11:58am

I figure out the right configuration for the first situation which is using port 80 for http, it’s not working but at least have some logs:

global
    log         127.0.0.1 local2
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     8000
    user        haproxy
    group       haproxy
    daemon
    nbproc      2
    stats socket /var/lib/haproxy/stats


defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    15s
    timeout queue           1m
    timeout connect         15s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 8000


resolvers mydns
  nameserver google 8.8.8.8:53
  timeout retry   1s
  hold valid 10s
  hold nx 3s
  hold other 3s
  hold obsolete 0s
  accepted_payload_size 8192

frontend fe
  bind *:80
  http-request do-resolve(txn.myip,mydns,ipv4) hdr(Host),lower
  http-request capture var(txn.myip) len 40

use_backend be

backend be
  http-request set-dst var(txn.myip)

And the log shows these results:

Dec  5 06:50:14 localhost haproxy[14728]: 192.168.1.117:48394 [05/Dec/2019:06:50:14.315] fe be/<NOSRV> 26/-1/-1/-1/26 503 237 - - SC-- 1/1/0/0/0 0/0 {104.24.122.146} "GET / HTTP/1.1"
Dec  5 06:50:14 localhost haproxy[14727]: 192.168.1.117:48396 [05/Dec/2019:06:50:14.650] fe be/<NOSRV> 23/-1/-1/-1/23 503 237 - - SC-- 1/1/0/0/0 0/0 {104.24.123.146} "GET / HTTP/1.1"
Dec  5 06:50:14 localhost haproxy[14728]: 192.168.1.117:48398 [05/Dec/2019:06:50:14.919] fe be/<NOSRV> 60/-1/-1/-1/60 503 237 - - SC-- 1/1/0/0/0 0/0 {104.24.122.146} "GET / HTTP/1.1"
Dec  5 06:50:15 localhost haproxy[14727]: 192.168.1.117:48400 [05/Dec/2019:06:50:15.173] fe be/<NOSRV> 20/-1/-1/-1/20 503 237 - - SC-- 1/1/0/0/0 0/0 {104.24.123.146} "GET / HTTP/1.1"
Dec  5 06:50:15 localhost haproxy[14728]: 192.168.1.117:48402 [05/Dec/2019:06:50:15.428] fe be/<NOSRV> 6/-1/-1/-1/6 503 237 - - SC-- 1/1/0/0/0 0/0 {104.24.122.146} "GET / HTTP/1.1"
Dec  5 06:50:15 localhost haproxy[14727]: 192.168.1.117:48404 [05/Dec/2019:06:50:15.696] fe be/<NOSRV> 21/-1/-1/-1/21 503 237 - - SC-- 1/1/0/0/0 0/0 {104.24.123.146} "GET / HTTP/1.1"
Dec  5 06:50:15 localhost haproxy[14728]: 192.168.1.117:48406 [05/Dec/2019:06:50:15.929] fe be/<NOSRV> 20/-1/-1/-1/20 503 237 - - SC-- 1/1/0/0/0 0/0 {104.24.122.146} "GET / HTTP/1.1"

I changed the configuration for port 443 for HTTPS request and the haproxy configuration is:

global
    log         127.0.0.1 local2
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     8000
    user        haproxy
    group       haproxy
    daemon
    nbproc      2
    stats socket /var/lib/haproxy/stats


defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    15s
    timeout queue           1m
    timeout connect         15s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 8000

resolvers mydns
  nameserver google 8.8.8.8:53
  timeout retry   1s
  hold valid 10s
  hold nx 3s
  hold other 3s
  hold obsolete 0s
  accepted_payload_size 8192




frontend fe
  bind *:443
  http-request do-resolve(txn.myip,mydns,ipv4) req_ssl_sni,lower
  http-request capture var(txn.myip) len 40

use_backend be

backend be
  http-request set-dst var(txn.myip)

But unfortunately, there is no log when I send through curl. and the curl give me this massage:

curl -vv https://google.com

*   Trying 192.168.1.119...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x55edffd64f50)
* Connected to google.com (192.168.1.119) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* error:1408F10B:SSL routines:ssl3_get_record:wrong version number
* Closing connection 0
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

Do you need other useful information? that can help me to figure out what happened.
Thank you for your time.

bluex · December 5, 2019, 12:46pm

In http conf file in the backend I forgot the server line and it’s working
But now in https, it’s not working until now ( I added the server line that I missed before with 0.0.0.0:443) and there is no log unfortunately for anything in order to debug it.
Do you have further ideas?

bluex · December 5, 2019, 1:13pm

I figure out that I must put tcp not http

frontend fe
  bind *:443
  mode tcp
  option tcplog
  log global
  http-request do-resolve(txn.myip,mydns,ipv4) req_ssl_sni,lower
  http-request capture var(txn.myip) len 40

and show this line in the log

Dec  5 08:15:07 localhost haproxy[15509]: 192.168.1.119:58261 [05/Dec/2019:08:14:07.369] fe be/clear 1/0/60095 0 sD 4117/4117/4116/4116/0 0/0
Dec  5 08:15:07 localhost haproxy[15509]: 192.168.1.119:58263 [05/Dec/2019:08:14:07.369] fe be/clear 1/0/60095 0 sD 4116/4116/4115/4115/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58329 [05/Dec/2019:08:14:07.377] fe be/clear 1/0/60099 0 sD 4306/4306/4304/4304/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58331 [05/Dec/2019:08:14:07.377] fe be/clear 1/0/60099 0 sD 4305/4305/4303/4303/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58333 [05/Dec/2019:08:14:07.377] fe be/clear 1/0/60099 0 sD 4304/4304/4302/4302/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58335 [05/Dec/2019:08:14:07.377] fe be/clear 1/0/60099 0 sD 4303/4303/4301/4301/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58337 [05/Dec/2019:08:14:07.377] fe be/clear 1/0/60099 0 sD 4302/4302/4300/4300/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58339 [05/Dec/2019:08:14:07.377] fe be/clear 1/0/60099 0 sD 4301/4301/4299/4299/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58341 [05/Dec/2019:08:14:07.377] fe be/clear 1/0/60099 0 sD 4300/4300/4298/4298/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58343 [05/Dec/2019:08:14:07.377] fe be/clear 1/0/60098 0 sD 4299/4299/4297/4297/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58345 [05/Dec/2019:08:14:07.377] fe be/clear 1/0/60098 0 sD 4298/4298/4296/4296/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58347 [05/Dec/2019:08:14:07.377] fe be/clear 1/0/60098 0 sD 4297/4297/4295/4295/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58349 [05/Dec/2019:08:14:07.377] fe be/clear 1/0/60098 0 sD 4296/4296/4294/4294/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58351 [05/Dec/2019:08:14:07.377] fe be/clear 1/0/60098 0 sD 4295/4295/4293/4293/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58353 [05/Dec/2019:08:14:07.377] fe be/clear 1/0/60098 0 sD 4294/4294/4292/4292/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58355 [05/Dec/2019:08:14:07.378] fe be/clear 1/0/60098 0 sD 4293/4293/4291/4291/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58357 [05/Dec/2019:08:14:07.378] fe be/clear 1/0/60098 0 sD 4292/4292/4290/4290/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58359 [05/Dec/2019:08:14:07.378] fe be/clear 1/0/60098 0 sD 4291/4291/4289/4289/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58361 [05/Dec/2019:08:14:07.378] fe be/clear 1/0/60098 0 sD 4290/4290/4288/4288/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58363 [05/Dec/2019:08:14:07.378] fe be/clear 1/0/60098 0 sD 4289/4289/4287/4287/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58365 [05/Dec/2019:08:14:07.378] fe be/clear 1/0/60098 0 sD 4288/4288/4286/4286/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58367 [05/Dec/2019:08:14:07.378] fe be/clear 1/0/60098 0 sD 4287/4287/4285/4285/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58369 [05/Dec/2019:08:14:07.378] fe be/clear 1/0/60098 0 sD 4286/4286/4284/4284/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58371 [05/Dec/2019:08:14:07.378] fe be/clear 1/0/60098 0 sD 4285/4285/4283/4283/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58373 [05/Dec/2019:08:14:07.378] fe be/clear 1/0/60098 0 sD 4284/4284/4282/4282/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58375 [05/Dec/2019:08:14:07.378] fe be/clear 1/0/60097 0 sD 4283/4283/4281/4281/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58377 [05/Dec/2019:08:14:07.378] fe be/clear 1/0/60097 0 sD 4282/4282/4280/4280/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58379 [05/Dec/2019:08:14:07.378] fe be/clear 1/0/60097 0 sD 4281/4281/4279/4279/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58381 [05/Dec/2019:08:14:07.378] fe be/clear 1/0/60097 0 sD 4280/4280/4278/4278/0 0/0
Dec  5 08:15:07 localhost haproxy[15510]: 192.168.1.119:58383 [05/Dec/2019:08:14:07.378] fe be/clear 1/0/60097 0 sD 4279/4279/4277/4277/0 0/0

by the way, 192.168.1.119 is the haproxy because the client IP is 192.168.1.117. and this log appears after I Curl command finished.

And I noticed also the log also shows similar like above line without and request from anyone.

Dec  5 08:20:08 localhost haproxy[15510]: 192.168.1.119:49231 [05/Dec/2019:08:19:08.591] fe be/clear 1/0/60000 0 sD 7665/7665/7663/7663/0 0/0
Dec  5 08:20:08 localhost haproxy[15510]: 192.168.1.119:49233 [05/Dec/2019:08:19:08.591] fe be/clear 1/0/60000 0 sD 7664/7664/7662/7662/0 0/0
Dec  5 08:20:08 localhost haproxy[15510]: 192.168.1.119:49235 [05/Dec/2019:08:19:08.591] fe be/clear 1/0/60000 0 sD 7663/7663/7661/7661/0 0/0
Dec  5 08:20:08 localhost haproxy[15510]: 192.168.1.119:49237 [05/Dec/2019:08:19:08.591] fe be/clear 1/0/60000 0 sD 7662/7662/7660/7660/0 0/0
Dec  5 08:20:08 localhost haproxy[15510]: 192.168.1.119:49239 [05/Dec/2019:08:19:08.591] fe be/clear 1/0/60000 0 sD 7661/7661/7659/7659/0 0/0
Dec  5 08:20:08 localhost haproxy[15510]: 192.168.1.119:49241 [05/Dec/2019:08:19:08.591] fe be/clear 1/0/60000 0 sD 7660/7660/7658/7658/0 0/0
Dec  5 08:20:08 localhost haproxy[15510]: 192.168.1.119:49243 [05/Dec/2019:08:19:08.591] fe be/clear 1/0/60000 0 sD 7659/7659/7657/7657/0 0/0
Dec  5 08:20:08 localhost haproxy[15510]: 192.168.1.119:49245 [05/Dec/2019:08:19:08.591] fe be/clear 1/0/60000 0 sD 7658/7658/7656/7656/0 0/0
Dec  5 08:20:08 localhost haproxy[15510]: 192.168.1.119:49247 [05/Dec/2019:08:19:08.591] fe be/clear 1/0/60000 0 sD 7657/7657/7655/7655/0 0/0
Dec  5 08:20:08 localhost haproxy[15510]: 192.168.1.119:49249 [05/Dec/2019:08:19:08.591] fe be/clear 1/0/60000 0 sD 7656/7656/7654/7654/0 0/0
Dec  5 08:20:08 localhost haproxy[15510]: 192.168.1.119:49251 [05/Dec/2019:08:19:08.591] fe be/clear 1/0/60000 0 sD 7663/7663/7661/7661/0 0/0
Dec  5 08:20:08 localhost haproxy[15510]: 192.168.1.119:49253 [05/Dec/2019:08:19:08.592] fe be/clear 1/0/60000 0 sD 7662/7662/7660/7660/0 0/0
Dec  5 08:20:08 localhost haproxy[15510]: 192.168.1.119:49255 [05/Dec/2019:08:19:08.592] fe be/clear 1/0/60000 0 sD 7661/7661/7659/7659/0 0/0
Dec  5 08:20:08 localhost haproxy[15510]: 192.168.1.119:49257 [05/Dec/2019:08:19:08.592] fe be/clear 1/0/60000 0 sD 7660/7660/7658/7658/0 0/0
Dec  5 08:20:08 localhost haproxy[15510]: 192.168.1.119:49259 [05/Dec/2019:08:19:08.592] fe be/clear 1/0/60000 0 sD 7659/7659/7657/7657/0 0/0
Dec  5 08:20:08 localhost haproxy[15510]: 192.168.1.119:49261 [05/Dec/2019:08:19:08.592] fe be/clear 1/0/60000 0 sD 7658/7658/7656/7656/0 0/0
Dec  5 08:20:08 localhost haproxy[15510]: 192.168.1.119:49263 [05/Dec/2019:08:19:08.592] fe be/clear 1/0/60000 0 sD 7657/7657/7655/7655/0 0/0

Is that useful for figure out what is the problem?

Topic		Replies	Views
[SOLVED] One IP, fistful of domains, pack of subdomains and HAProxy in front of it Help!	12	2873	November 4, 2018
Simplified ACL for SNI matching Help!	1	478	February 24, 2020
Issue with sni routing Help!	5	424	October 23, 2023
Match against req.ssl_sni AND dst_port Help!	4	719	October 30, 2022
SSL termination and SNI Help!	6	3291	January 2, 2019

SNI HTTPS Redirection

Related topics