Stickiness on backend server using X-SSL-Client-CN


#1

Hello

I am trying to do stickiness on X-SSL-Client-CN but requests still go roundrobin on both backend servers.
The CN is set properly in SSL connection from client to HAProxy.

Please suggest missing config?

X-SSL-Client-CN = client

backend cdp1
mode tcp
balance roundrobin

stick-table type string size 204800
stick store-request req.hdr(X-SSL-Client-CN)
stick match req.hdr(X-SSL-Client-CN)

server app1 1.0.0.1:22 check
server app2 1.0.0.2:22 check
timeout server 2h

#2

Who is setting the X-SSL-Client-CN header? The browser/client? That seems strange. You probably want to use the pattern %{+Q}[ssl_c_s_dn(cn)]


#3

This pattern throws the error. Is there anything wrong in this config?

backend cdp1
mode tcp
balance roundrobin

stick-table type string size 204800
stick store-request %{+Q}[ssl_c_s_dn(cn)]
stick match %{+Q}[ssl_c_s_dn(cn)]

server app1 1.0.0.1:22 check
server app2 1.0.0.2:22 check
timeout server 2h

[ALERT] 158/123804 (25481) : parsing [/etc/haproxy/haproxy.cfg:154] : ‘stick’: unknown fetch method ‘%{+Q}[ssl_c_s_dn’
[ALERT] 158/123804 (25481) : parsing [/etc/haproxy/haproxy.cfg:155] : ‘stick’: unknown fetch method ‘%{+Q}[ssl_c_s_dn’
[ALERT] 158/123804 (25481) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg


#4

Try just ssl_c_s_dn(cn)


#5

I got it working. stick match should come before stick store.

Thanks,

Client request One : CN=client1

$ echo “show table cdp1” | sudo socat /var/run/haproxy.sock stdio
table: cdp1, type: string, size:204800, used:0

$ echo “show table cdp1” | sudo socat /var/run/haproxy.sock stdio
table: cdp1, type: string, size:204800, used:1
0xab4f24: key=client1 use=0 exp=0 server_id=1

Client request Two: CN=client1

$ echo “show table cdp1” | sudo socat /var/run/haproxy.sock stdio
table: cdp1, type: string, size:204800, used:1
0xab4f24: key=client1 use=0 exp=0 server_id=1

backend cdp1
mode tcp
balance roundrobin

stick-table type string size 204800
stick match ssl_c_s_dn(cn)
stick store-request ssl_c_s_dn(cn)


server app1 1.0.0.1:22 check
server app2 1.0.0.2:22 check
timeout server 2h