Sni proxy only support port 443?

tcp proxy via sni domain. 443 success. 2096 wrong.


	log /dev/log	local0
	log /dev/log	local1 notice
  log /var/log/haproxy.log local0 notice
	chroot /var/lib/haproxy
	stats socket /run/haproxy/admin.sock mode 660 level admin
	stats timeout 30s
	user haproxy
	group haproxy
  maxconn 65535

	# Default SSL material locations
	ca-base /etc/ssl/certs
	crt-base /etc/ssl/private

	# See:
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets

	log	global
	mode	http
  option http-keep-alive
  option forwardfor
	option	httplog
	option	dontlognull
  timeout connect 5000
  timeout client  5000
  timeout server  5000
  timeout http-request 2000ms
	errorfile 400 /etc/haproxy/errors/400.http
	errorfile 403 /etc/haproxy/errors/403.http
	errorfile 408 /etc/haproxy/errors/408.http
	errorfile 500 /etc/haproxy/errors/500.http
	errorfile 502 /etc/haproxy/errors/502.http
	errorfile 503 /etc/haproxy/errors/503.http
	errorfile 504 /etc/haproxy/errors/504.http

listen stats
  bind *:60003
  stats refresh 5s 
  stats uri /stats
  stats realm HAProxy Stats 
  stats auth stats:stats

frontend aria2rpc_front
  bind :2096
  bind :443
  mode tcp
  option tcplog

  tcp-request inspect-delay 5s

  # tcp-request content capture ssl_fc_sni len 23
  # log-format "capture0: %[capture.req.hdr(0)]"

  tcp-request content accept if { req_ssl_hello_type 1 }
  acl aria2rpc req.ssl_sni -i
  use_backend online_tcp_2096 if aria2rpc
  default_backend backend_domain1
backend online_tcp_2096
  mode tcp
  server s1
backend backend_domain1
  server  web1
backend backend_domain2
  server  web1

haproxy version

root@localhost:~# haproxy -vv
HAProxy version 2.6.12-1+deb12u1 2023/12/16 -
Status: long-term supported branch - will stop receiving fixes around Q2 2027.
Known bugs:
Running on: Linux 6.1.0-15-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.66-1 (2023-12-09) x86_64
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = cc
  CFLAGS  = -O2 -g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment


Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : OpenSSL 3.0.11 19 Sep 2023
Running on OpenSSL version : OpenSSL 3.0.11 19 Sep 2023
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default
Built with Lua version : Lua 5.3.6
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with OpenTracing support.
Support for malloc_trim() is enabled.
Built with libslz for stateless compression.
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built with PCRE2 version : 10.42 2022-12-11
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with gcc compiler version 12.2.0

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
         h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
       fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
  <default> : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
         h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
  <default> : mode=TCP   side=FE|BE  mux=PASS  flags=
       none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG

Available services : prometheus-exporter
Available filters :
        [CACHE] cache
        [COMP] compression
        [FCGI] fcgi-app
        [  OT] opentracing
        [SPOE] spoe
        [TRACE] trace

Does this happen with an actual browser or a “special” client?

In HTTP the Host header will have :<port> appended if it’s a non standard port (not 80 for HTTP and not 443 for HTTPS).

This should not happen with SNI (at least in browsers), however if this is not a standard browser but another client, it could be that this client mistakenly appends the port to the SNI header or, even worse, does not send the SNI value at all.

I suggest you try to see what happens with you add this to the ACL

acl aria2rpc req.ssl_sni -i

Sorry, this is a misunderstanding.
This is because the website backend uses a self-signed TLS certificate from Cloudflare, which is illegal. The reason why port 443 is accessible is because I trusted the certificate after accessing port 443 with a browser a long time ago.
Since the request was made via XHR, I never knew it was a certificate issue. After I later used port 2096 to access and trust the certificate, everything became normal.


1 Like