Why does my simplified config not work? - 1.8 - tcp reverse proxy with domain name checks


#1

Hi there,

could anybody help me to figure out why my config does not work?

listen listener
  mode tcp
  bind *:80
  bind *:443
  bind *:10000
  bind *:8443

  tcp-request inspect-delay 5s
  tcp-request content accept if HTTP or { req_ssl_hello_type 1 }

  use-server c2 if { hdr(host) -i -f /etc/haproxy/c2/domains } or { req_ssl_sni -i -f /etc/haproxy/c2/domains }
  server c2 10.192.119.156 port 443 check

  use-server c3 if { hdr(host) -i -f /etc/haproxy/c3/domains } or { req_ssl_sni -i -f /etc/haproxy/c3/domains }
  server c3 10.192.119.155 port 443 check

  use-server c4 if { hdr(host) -i -f /etc/haproxy/c4/domains } or { req_ssl_sni -i -f /etc/haproxy/c4/domains }
  server c4 10.192.119.143 port 443 check

#2

You cannot match a host header in TCP mode. HTTP mode is required for that.

Now the use-server directive should generally not be used to content switch applications to appropriate servers. It has a different purpose and misusing will cause headaches sooner or later.

Drop the listen/server configuration and use frontend/backends instead. Use 1 frontend for HTTP traffic and another one for HTTPS.

Something like this (I did not include port 10000 as I don’t know whether this is HTTP or HTTPS)?

frontend http
 mode http
 bind :80
 use_backend c2 if { hdr(host) -i -f /etc/haproxy/c2/domains }
 use_backend c3 if { hdr(host) -i -f /etc/haproxy/c3/domains }
 use_backend c4 if { hdr(host) -i -f /etc/haproxy/c4/domains }

frontend https
 mode tcp
 bind :443
 bind :8443
 tcp-request inspect-delay 5s
 tcp-request content accept if { req_ssl_hello_type 1 }
 use_backend c2 if { req_ssl_sni -i -f /etc/haproxy/c2/domains }
 use_backend c3 if { req_ssl_sni -i -f /etc/haproxy/c3/domains }
 use_backend c4 if { req_ssl_sni -i -f /etc/haproxy/c4/domains }


backend c2
 server c2 10.192.119.156 port 443 check

backend c3
 server c3 10.192.119.155 port 443 check

backend c4
 server c4 10.192.119.143 port 443 check

#3

Wow! Thank you for that fast and good support! :smiley:

I was trying to find ways to minnimize the config…
But I guess you cant minimize it completely.

Thanks again!


#4

@lukastribus
Do you have any simplification advice?

So there is no way to just get traffic from any ports on the frontend to the same ports on the backend no matter if they are http or https and let the backend server figure it out?
I just want to do domain based routing and want to keep the load on haproxy as light as possible.


#5

What are your trying to simplify? What is it that you are trying to achieve?

Are you trying to get this working with the smallest amount of config lines? Config characters? What’s your benchmark and more importantly why?


#6

I though if I have to change the config through scripting in the future it would be best to only have to change the domains in one place but my config at the top didn’t have one place either. So I guess thats not possible with http and https (backend terminated).

Also if I have to change the file through the terminal it will be easier if I have to add less if another server gets added.

Also I discovered I will have to use each server 2 times because the http frontends ask for a http backend server:
May 02 20:23:57 c1 haproxy[30863]: [ALERT] 121/202357 (30863) : http frontend ‘http’ (/etc/haproxy/haproxy.cfg:35) tries to use incompatible tcp backend ‘c2’ (/etc/haproxy/haproxy.cfg:55) in a ‘use_backend’ rule (see ‘mode’).
May 02 20:23:57 c1 haproxy[30863]: [ALERT] 121/202357 (30863) : http frontend ‘http’ (/etc/haproxy/haproxy.cfg:35) tries to use incompatible tcp backend ‘c3’ (/etc/haproxy/haproxy.cfg:58) in a ‘use_backend’ rule (see ‘mode’).
May 02 20:23:57 c1 haproxy[30863]: [ALERT] 121/202357 (30863) : http frontend ‘http’ (/etc/haproxy/haproxy.cfg:35) tries to use incompatible tcp backend ‘c4’ (/etc/haproxy/haproxy.cfg:61) in a ‘use_backend’ rule (see ‘mode’).