[SOLVED] One IP, fistful of domains, pack of subdomains and HAProxy in front of it

Good day, friends.

Almost all in the title.
How to configure my little zoo of, say, containers to work correctly behind one proxy? I have a separate certificate for every subdomain of every domain; I do not plan to use plain HTTP, only HTTPS; I do not plan to terminate SSL on the proxy, so I need SNI.

Where I can find some working example of the config file for my case or at least base to start and to ask question(s) about it? I tried some variants from the various examples I found, but all they did not work as expected.

Thank you in advance.

The front and backend needs to be in TCP mode, you match a TLS session with TCP content rules and then you match the SNI field in it:

 frontend https-in
    mode tcp
    bind :443
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    use_backend backend1 if { req_ssl_sni -i test1.example.org }
    use_backend backend2 if { req_ssl_sni -i test2.example.org }
    use_backend backend3 if { req_ssl_sni -i test3.example.org }

Always take care that your certificates don’t overlap with each other, otherwise the browser will reuse existing TLS sessions for what is allowed by the certificate.

1 Like

Thank you for your response.

I see in haproxy.log these repetitive lines (10 per one connection attempt, port number increases):
Oct 30 19:39:59 scorry haproxy[18943]: XX.XX.XX.XX:34152 [30/Oct/2018:19:39:59.229] https-in~ https-in/<NOSRV> -1/-1/729 0 SC 1/1/0/0/0 0/0
For the sake of clarity, I deleted all the pem files instead of one, but it didn’t change anything.
And sites are accessible from LAN over HTTPS, so certs/webserver part seems working good.

That means the server is unreachable. Can you share the config?

1 Like

Yes, here it is.

Ok, from the haproxy instance, try curl against this backend server and provide the output:

curl -vk
1 Like

Yep, that it.

Well it looks like haproxy is unable to access while curl can reach those backend servers just fine.

I suggest you run haproxy through strace -tt for a short period of time while you reproduce it. That output will show what exactly the systemcall’s return. I assume that there is at the system level intervening, like selinux or something like that.

1 Like

OK, thank you again.

I reproduced it. Command line was:
strace -tt haproxy -f /etc/haproxy/haproxy.cfg -d &> haproxy_strace.log

Result here.
I opened in Firefox one domain, https version of it, subdomain_1, https://subdomain_1, subdomain_2, and https://subdomain_2.

BTW, http portion of haproxy config works well.

Ok, I found an issue in your configuration that I did not see at first:

You configured the https frontend with TLS termination (ssl crt /var/lib/haproxy/private/ after the bind :443), which means haproxy decrypts TLS here. But you are then passing everything as is to port 443 on your backends, without re-encryption (so you are sending plaintext HTTP to a HTTPS port).

You can either:

  • keep terminating TLS on haproxy, but send cleartext traffic to port 80 of your backend servers (just reuse the plaintext backends you already have for http)
  • keep terminating TLS on haproxy, but re-encrypt TLS vs your backends (add ssl and ca-file options to your servers)
  • just passthrough TCP port 443 without terminating it (just drop ssl crt /var/lib/haproxy/private/ from your bind line)
1 Like

Thank you very, VERY much.
All is working as expected!

1 Like

really glad you guys have found help. wondering if it would work for me as now i can’t do anything since i’m on some meds from suppsforlife.to. anyway, may i come back with questions in case there’s something that goes wrong? or i might update the good news if it happens. thanks.

thanks for sharing. hopefully it will work for me too