Hi all, I'm asking this question here since I read in the docs that if I see "Ixxx" in the session "termination_state" log I should do so :-)
The error I got while experimenting with the HAP config is as follows: Jan 29 03:33:44 ip-172-31-45-201 haproxy[124024]: <CLIENT_IP>:44296 [29/Jan/2020:03:33:44.952] fe_https~ host.mydomain.com/<NOSRV> -1/-1/-1/-1/0 500 0 - - IR-- 1/1/5/0/3 0/0 "GET /api/search HTTP/1.1" The command that produced it: $ curl -vsSNiL -H "Host: host.mydomain.com" https://haproxy.example.com:8443/api/search And the relevant haproxy-2.0.12 configuration (it's in AWS): resolvers vpc nameserver dns1 172.31.0.2:53 accepted_payload_size 8192 resolve_retries 30 timeout resolve 1s timeout retry 2s hold valid 30s hold other 30s hold refused 30s hold nx 30s hold timeout 30s hold obsolete 30s frontend fe_https bind *:8443 ssl crt /etc/haproxy/ssl.d/ alpn h2,http/1.1 mode http option httplog use_backend %[req.hdr(host),word(1,:),lower] backend host.mydomain.com mode tcp option tcp-check tcp-check connect port 443 ssl balance source default-server inter 60s downinter 30s rise 2 fall 2 slowstart 10s weight 100 ca-file /etc/ssl/certs/ca-certificates.crt on-marked-down shutdown-sessions server myhost host.mydomain.com:443 verify none check resolvers vpc resolve-prefer ipv4 Haproxy version dump: # haproxy -vv HA-Proxy version 2.0.12-1ppa~xenial 2019/12/21 - https://haproxy.org/ Build options : TARGET = linux-glibc CPU = generic CC = gcc CFLAGS = -O2 -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -fno-strict-aliasing -Wdeclaration-after-statement -fwrapv -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered -Wno-missing-field-initializers -Wtype-limits OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1 Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE -PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE +LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS -51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS Default settings : bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 Built with multi-threading support (MAX_THREADS=64, default=1). Built with OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 Running on OpenSSL version : OpenSSL 1.0.2g 1 Mar 2016 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 Built with Lua version : Lua 5.3.1 Built with network namespace support. Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Built with zlib version : 1.2.8 Running on zlib version : 1.2.8 Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip") Built with PCRE2 version : 10.21 2016-01-12 PCRE2 library supports JIT : yes Encrypted password support via crypt(3): yes Built with the Prometheus exporter as a service Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. Available multiplexer protocols : (protocols marked as <default> cannot be specified using 'proto' keyword) h2 : mode=HTX side=FE|BE mux=H2 h2 : mode=HTTP side=FE mux=H2 <default> : mode=HTX side=FE|BE mux=H1 <default> : mode=TCP|HTTP side=FE|BE mux=PASS Available services : prometheus-exporter Available filters : [SPOE] spoe [COMP] compression [CACHE] cache [TRACE] trace I'm sure I've done something wrong since I have exactly the same backend working fine with frontend in TCP mode using "ssl_sni" like so: frontend fe_https_tcp bind *:8443 mode tcp option tcplog tcp-request connection reject if !{ src -f /etc/haproxy/whitelist.lst } tcp-request inspect-delay 5s tcp-request content accept if { req.ssl_hello_type 1 } use_backend host.mydomain.com if { req.ssl_sni -i host.mydomain.com } Thanks, Igor
