Traffic with different acl for virtual host seems to be counted in all backends


#1

Hi,

I have something like this:

frontend app1
 acl app1 hdr(host) -i app1.domain.com
 default_backend app1
 use_backend app1 if app1

frontend app2
 acl app2 hdr(host) -i app2.domain.com
 default_backend app2
 use_backend app2 if app2

backend app1
 mode http
 ...
 option httpchk GET /rest/util/setting HTTP/1.0\r\nHost:\ app1.domain.com:8080\r\n
 ...
 server talaiaclu01-app1 192.168.211.13:8080 cookie server1 maxconn 1000 check inter 5000
 server talaiaclu02-app1 192.168.211.14:8080 cookie server2 maxconn 1000 check inter 5000

backend app2
 mode http
 ...
 option httpchk GET /rest/util/setting HTTP/1.0\r\nHost:\ app2.domain.com:8080\r\n
 ...
 server talaiaclu01-app2 192.168.211.13:8080 cookie server1 maxconn 1000 check inter 5000
 server talaiaclu02-app2 192.168.211.14:8080 cookie server2 maxconn 1000 check inter 5000

This should be sending requests for app1.domain.com only to backend app1. But as per statistics I can see that backend app2 is being hitted. In fact I can see that the frontend is also being hitted by the same request.

In fact the requests are well redirected to the right backend based on the url but statistics are perturbing me. I could understand that all frontends must be hitted to determine which is the right one, but backends should not, right? And the backends nevere receive the requests that are not destinated for them. So it seems to be only a statistics problem.

Kind regards,


#2

Please share the complete configuration. It is unclear where you bind your ports in those 2 frontends.


#3

Hi,

there it goes:

global
    log 127.0.0.1 local0 notice
    maxconn 4000
    tune.ssl.default-dh-param 2048
    user haproxy
    group haproxy
    ssl-default-bind-options no-sslv3 no-tls-tickets
    ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    stats socket /var/run/haproxy.stat

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    retries 3
    option redispatch
    timeout connect  5000
    timeout client  20000
    timeout server  20000

frontend http-redirect
    bind *:80
    reqadd X-Forwarded-Proto:\ http
    default_backend app1

frontend openppm-app1
   http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
   http-response set-header X-Frame-Options DENY
   http-response set-header X-Content-Type-Options nosniff
   compression algo gzip
   bind :443 ssl crt /etc/ssl/certs/mycert.com.pem
   reqadd X-Forwarded-Proto:\ https
   acl app1 hdr(host) -i app1.domain.com
   default_backend app1
   use_backend app1 if app1

frontend openppm-app2
   http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
   http-response set-header X-Frame-Options DENY
   http-response set-header X-Content-Type-Options nosniff
   compression algo gzip
   bind :443 ssl crt /etc/ssl/certsmycert.com.pem
   reqadd X-Forwarded-Proto:\ https
   acl app2 hdr(host) -i app2.domain.com
   default_backend app2
   use_backend app2 if app2

backend app1
    mode http
    redirect scheme https if !{ ssl_fc }
    option httpclose
    option redispatch
    option forwardfor
    option http-server-close
    option httpchk GET /rest/util/setting HTTP/1.0\r\nHost:\ app1.domain.com:8080\r\n
    http-check expect rstatus ^200
    cookie JSESSIONID prefix
    balance roundrobin
    server tomcat01-app1 192.168.211.13:8080 cookie server1 maxconn 1000 check inter 5000
    server tomcat01-app1 192.168.211.14:8080 cookie server2 maxconn 1000 check inter 5000

backend app2
    mode http
    redirect scheme https if !{ ssl_fc }
    option httpclose
    option redispatch
    option forwardfor
    option http-server-close
    compression algo gzip
    option httpchk GET /rest/util/setting HTTP/1.0\r\nHost:\ app2.domain.com:8080\r\n
    http-check expect rstatus ^200
    cookie JSESSIONID prefix
    balance roundrobin
    server tomcat01-app2 192.168.211.13:8080 cookie server1 maxconn 1000 check inter 5000
    server tomcat01-app2 192.168.211.14:8080 cookie server2 maxconn 1000 check inter 5000

listen stats
        bind 192.168.211.13:9001
        mode http
        stats enable
        stats uri /stats
        stats realm Zabbix

Thank you!


#4

You cannot create to different frontends listening to the same port. It doesn’t work like that.

  • use a single traffic handling frontend
  • if you redirect all your http traffic to https, then do it directly in the port 80 frontend instead of duplicating this in both backends

for example:

frontend http-redirect
    bind *:80
    redirect scheme https

frontend https-in
    http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
    http-response set-header X-Frame-Options DENY
    http-response set-header X-Content-Type-Options nosniff
    compression algo gzip
    bind :443 ssl crt /etc/ssl/certs/mycert.com.pem crt /etc/ssl/certsmycert.com.pem
    acl app1 hdr(host) -i app1.domain.com
    use_backend app1 if app1
    acl app2 hdr(host) -i app2.domain.com
    use_backend app2 if app2

backend app1
    mode http
    option httpclose
    option redispatch
    option forwardfor
    option http-server-close
    option httpchk GET /rest/util/setting HTTP/1.0\r\nHost:\ app1.domain.com:8080\r\n
    http-check expect rstatus ^200
    cookie JSESSIONID prefix
    balance roundrobin
    server tomcat01-app1 192.168.211.13:8080 cookie server1 maxconn 1000 check inter 5000
    server tomcat01-app1 192.168.211.14:8080 cookie server2 maxconn 1000 check inter 5000

backend app2
    mode http
    option httpclose
    option redispatch
    option forwardfor
    option http-server-close
    compression algo gzip
    option httpchk GET /rest/util/setting HTTP/1.0\r\nHost:\ app2.domain.com:8080\r\n
    http-check expect rstatus ^200
    cookie JSESSIONID prefix
    balance roundrobin
    server tomcat01-app2 192.168.211.13:8080 cookie server1 maxconn 1000 check inter 5000
    server tomcat01-app2 192.168.211.14:8080 cookie server2 maxconn 1000 check inter 5000

#5

Hi lukastribus,

your help is much appreciated. Didn’t try it ye but this makes sense…

Thank you very much!

Edition: confirmed! traffic is only accounting for the right backend.