Why does my simplified config not work? - 1.8 - tcp reverse proxy with domain name checks

michacassola · May 2, 2018, 5:31pm

Hi there,

could anybody help me to figure out why my config does not work?

listen listener
  mode tcp
  bind *:80
  bind *:443
  bind *:10000
  bind *:8443

  tcp-request inspect-delay 5s
  tcp-request content accept if HTTP or { req_ssl_hello_type 1 }

  use-server c2 if { hdr(host) -i -f /etc/haproxy/c2/domains } or { req_ssl_sni -i -f /etc/haproxy/c2/domains }
  server c2 10.192.119.156 port 443 check

  use-server c3 if { hdr(host) -i -f /etc/haproxy/c3/domains } or { req_ssl_sni -i -f /etc/haproxy/c3/domains }
  server c3 10.192.119.155 port 443 check

  use-server c4 if { hdr(host) -i -f /etc/haproxy/c4/domains } or { req_ssl_sni -i -f /etc/haproxy/c4/domains }
  server c4 10.192.119.143 port 443 check

lukastribus · May 2, 2018, 6:43pm

You cannot match a host header in TCP mode. HTTP mode is required for that.

Now the use-server directive should generally not be used to content switch applications to appropriate servers. It has a different purpose and misusing will cause headaches sooner or later.

Drop the listen/server configuration and use frontend/backends instead. Use 1 frontend for HTTP traffic and another one for HTTPS.

Something like this (I did not include port 10000 as I don’t know whether this is HTTP or HTTPS)?

frontend http
 mode http
 bind :80
 use_backend c2 if { hdr(host) -i -f /etc/haproxy/c2/domains }
 use_backend c3 if { hdr(host) -i -f /etc/haproxy/c3/domains }
 use_backend c4 if { hdr(host) -i -f /etc/haproxy/c4/domains }

frontend https
 mode tcp
 bind :443
 bind :8443
 tcp-request inspect-delay 5s
 tcp-request content accept if { req_ssl_hello_type 1 }
 use_backend c2 if { req_ssl_sni -i -f /etc/haproxy/c2/domains }
 use_backend c3 if { req_ssl_sni -i -f /etc/haproxy/c3/domains }
 use_backend c4 if { req_ssl_sni -i -f /etc/haproxy/c4/domains }


backend c2
 server c2 10.192.119.156 port 443 check

backend c3
 server c3 10.192.119.155 port 443 check

backend c4
 server c4 10.192.119.143 port 443 check

michacassola · May 2, 2018, 7:31pm

Wow! Thank you for that fast and good support!

I was trying to find ways to minnimize the config…
But I guess you cant minimize it completely.

Thanks again!

michacassola · May 2, 2018, 7:35pm

@lukastribus
Do you have any simplification advice?

So there is no way to just get traffic from any ports on the frontend to the same ports on the backend no matter if they are http or https and let the backend server figure it out?
I just want to do domain based routing and want to keep the load on haproxy as light as possible.

lukastribus · May 2, 2018, 8:26pm

What are your trying to simplify? What is it that you are trying to achieve?

Are you trying to get this working with the smallest amount of config lines? Config characters? What’s your benchmark and more importantly why?

michacassola · May 2, 2018, 8:33pm

I though if I have to change the config through scripting in the future it would be best to only have to change the domains in one place but my config at the top didn’t have one place either. So I guess thats not possible with http and https (backend terminated).

Also if I have to change the file through the terminal it will be easier if I have to add less if another server gets added.

Also I discovered I will have to use each server 2 times because the http frontends ask for a http backend server:
May 02 20:23:57 c1 haproxy[30863]: [ALERT] 121/202357 (30863) : http frontend ‘http’ (/etc/haproxy/haproxy.cfg:35) tries to use incompatible tcp backend ‘c2’ (/etc/haproxy/haproxy.cfg:55) in a ‘use_backend’ rule (see ‘mode’).
May 02 20:23:57 c1 haproxy[30863]: [ALERT] 121/202357 (30863) : http frontend ‘http’ (/etc/haproxy/haproxy.cfg:35) tries to use incompatible tcp backend ‘c3’ (/etc/haproxy/haproxy.cfg:58) in a ‘use_backend’ rule (see ‘mode’).
May 02 20:23:57 c1 haproxy[30863]: [ALERT] 121/202357 (30863) : http frontend ‘http’ (/etc/haproxy/haproxy.cfg:35) tries to use incompatible tcp backend ‘c4’ (/etc/haproxy/haproxy.cfg:61) in a ‘use_backend’ rule (see ‘mode’).

RonaldPAz · September 22, 2021, 11:07pm

Hello community, can you help me, I am new to Proxy I am trying to make my publications use the same Public IP, my configuration is the following:

frontend SharedFrontend-merged
bind 0.0.0.0:443 name 0.0.0.0:443 ssl crt-list /var/etc/haproxy/SharedFrontend.crt_list
mode tcp
log global
timeout client 30000
acl ACL_GESTIONA src reportsense.marcobre.com
tcp-request content accept if ACL_GESTIONA
use_backend BACKENDPLATAFMA_ipvANY if ACL_GESTIONA

backend BACKENDPLATAFMA_ipvANY
mode tcp
id 108
log global
timeout connect 600000
timeout server 600000
retries 10
option httpchk OPTIONS /
server PLATAFORMA-MA 172.23.130.88:9190 id 103 check inter 1000

however I am not successful, the errors shown are:

No se puede acceder a este sitio

gestiona.marcobre.com tardó demasiado en responder.

Intenta:

Comprobar la conexión.
Comprobar el proxy y el firewall.
[Ejecución del Diagnóstico de red de Windows](javascript:diagnoseErrors())

ERR_CONNECTION_TIMED_OUT

P.S:
I use pfsense on FreeBSD which is running HAProxy.

Please your support because the company is beginning to doubt the potential of HAProxy and even more of Pfsense and my service

Topic		Replies	Views
Cannot bind socket 80 / 443 Help!	7	11735	May 23, 2018
About the dns configuration of haproxy2.5 Help!	0	337	February 21, 2022
Use_backend app-main if { hdr_dom(host) -i } -> Not recognize domain Help!	5	3897	November 7, 2019
How to do port forward by domain in TCP mode? Help!	1	764	February 3, 2021
Haproxy map backend by domain name not working on https Help!	1	476	December 20, 2021

Why does my simplified config not work? - 1.8 - tcp reverse proxy with domain name checks

No se puede acceder a este sitio

Related Topics