Trouble with binding ports when using the same ssl and acl rule

Help!
1

Hello everybody!

I am very new to HAproxy and trying to set up a simple configuration.
What I’m trying to do is use the same subdomain to identify the server and then go towards its various services by specifying the port (https://example.com:8080, 443 etc.)

When I use 443, everything works fine, I can point the traffic to the backend I want, but as soon as I go to, for example, 8080 or 50085, it doesn’t work at all and only gets error 503.

In the firewall and the entrance that goes to Haproxy, these ports are open and should not cause it.

Below is my configuration, anyone have any idea what I’m doing wrong?

global
    log         127.0.0.2 local0
    log         127.0.0.1 local1 notice
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon
    stats socket /var/lib/haproxy/stats
    stats socket *:1999 level admin
    stats socket /var/run/haproxy.sock mode 600 level admin
    server-state-file /etc/haproxy/haproxy.state

defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

listen stats 
    bind *:8085
    http-request use-service prometheus-exporter if { path /metrics }
    stats enable
    stats uri /stats
    stats realm HAProxy-04\ Statistics
    stats auth admin:password
    stats admin if TRUE


backend per_ip_and_url_rates
    stick-table type binary len 8 size 1m expire 24h store http_req_rate(24h) 

backend per_ip_rates
    stick-table type ip size 1m expire 24h store gpc0,gpc0_rate(30s) 







frontend port443-webgui
    bind *:443 ssl crt /etc/haproxy/certs/ strict-sni
    mode http
    maxconn 2000
    option httplog

	# ACL rules
    acl dev-zafe hdr(host) -i dev.zafe.se
	acl statusmonitor hdr(host) -i statusmonitor.zafe.se


	# Use backend for dev-zafe
	use_backend webgui-dev-zafe if dev-zafe
	use_backend webgui-statusmonitor if statusmonitor












frontend port50085-ipcamera
    bind *:50085 ssl crt /etc/haproxy/certs/ strict-sni
    mode http
    maxconn 2000
    option httplog

	# ACL rules
    acl dev-zafe hdr(host) -i dev.zafe.se



	# Use backend for dev-zafe
	use_backend ipcamera-dev-zafe if dev-zafe








backend webgui-dev-zafe
    mode http
    balance roundrobin
    
    
    server 192.168.4.30 192.168.4.30:1024 check port 1024 maxconn 200   


backend webgui-statusmonitor
    mode http
    balance roundrobin
    
    
    server 192.168.4.90 192.168.4.90:80 check port 80 maxconn 200   





backend nattuggla-dev-zafe
    mode http
    balance roundrobin
    
    
    server 192.168.4.30 192.168.4.30:8080 check port 8080 maxconn 200  











backend ipcamera-dev-zafe
    mode http
    balance roundrobin
    
    
    server 192.168.4.30 192.168.4.30:50085 maxconn 200     



frontend port8080-nattuggla
    bind *:8080 ssl crt /etc/haproxy/certs/ strict-sni
    mode http
    maxconn 2000
    option httplog

	# ACL rules
    acl dev-zafe-nattuggla hdr(host) -i dev.zafe.se



	# Use backend for dev-zafe
	use_backend nattuggla-dev-zafe if dev-zafe-nattuggla
2

If your browser accesses a non standard port, the host header changes with it.

Accessing https://example.com:8080/ means that you need to match a Host header that is example.com:8080

1 Like
3

Aha! So simple…

Well thank you for a very fast respons :slight_smile:

1 Like