Thanks for the suggestion, Brian! First off, IUS *IS* actually on our
allowed list, so I upgraded to the IUS haproxy RPM v1.7.3 (Our local repo
copy does not have 1.7.4 sync'd into it yet - I didn't even realize haproxy
was in the IUS repo). I also converted my configuration to be like you
indicated, and I am unfortunately still having the same issue. Here is my
new front-end configuration (sanitized):
frontend https-8443
bind 192.168.1.1:8443 ssl crt /etc/haproxy/certs/
acl site01 hdr(host) -i site01.domain.com
acl site02 hdr(host) -i site02.domain.com
use_backend site01 if site01
use_backend site02 if site02
If I delete the two use_backend lines, and add a default_backend line, it
works properly.
For additional reference, here are the two backends and my defaults section
as well:
backend site01
balance roundrobin
server server01 192.168.1.2:80
backend site02
balance roundrobin
server server02 192.168.1.3:80
(In this implementation, we're using it more for the proxy functions than
we are the HA functions).
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
Also, looking at the log file, all I see is:
Apr 13 16:43:37 tc-vpn01 haproxy[8986]: 192.168.1.100:59689
[13/Apr/2017:16:43:37.874] https-8443~ https-8443/<NOSRV> -1/-1/-1/-1/0 503
212 - - SC-- 0/0/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"
Anyone with any ideas?
Thanks,
Jeremy
On Thu, Apr 13, 2017 at 11:41 AM, Gibson, Brian (IMS) <[email protected]>
wrote:
> I’ve not tried using ACLs in curly brackets like you are, but I can
> confirm that this configuration works for me
>
>
>
> acl name1 hdr(host) -i www.example.org
>
> acl name2 hdr(host) -i www.example-other.org
>
>
>
> use_backend backend1 if name1
>
> use_backend backend2 if name2
>
>
>
> I use this code specifically to do what you’re trying to do, though I’m
> using the latest stable build. I’m pretty sure this code should work in
> 1.5 though as well.
>
>
>
> Also if you can’t use self compiled stuff, can you use something like IUS?
> https://ius.io/
>
>
>
> *From:* Jeremy Utley [mailto:[email protected]]
> *Sent:* Thursday, April 13, 2017 12:29 PM
> *To:* [email protected]
> *Subject:* Problems with SNI config
>
>
>
> Hello all!
>
>
>
> I'm trying to convert an Apache reverse proxy setup over to using HAProxy,
> but am running into issues with SNI. I followed
> http://stuff-things.net/2016/11/30/haproxy-sni/ to set this up, but it's
> not working, and I have not yet been able to figure out why.
>
>
>
> HAProxy version: 1.5.4-3 installed from the EPEL repo on Centos 6 (Policy
> here forbids self-compiled versions, so we are limited to only what's
> available to us in EPEL)
>
>
>
> I've narrowed down the problem to my frontend definition - if I simplify
> the front-end to not do SNI, it works fine to either backend. If I add a
> default_backend definition, it goes to the default backend no matter which
> hostname I provide. Without the default_backend in the frontend
> configuration, I get a 503 error from the proxy. So something is
> definately not right with my SNI configuration, but I certainly can not
> find it!
>
>
>
> Here is a sanitized version of my frontend definition in haproxy.cfg:
>
>
>
> frontend https-8443
>
> bind 192.168.1.1:8443 ssl crt /etc/haproxy/certs/
>
> use_backend site1 if { hdr(host) -i site1.domain.com }
>
> use_backend site2 if { hdr(host) -i site2.domain.com }
>
>
>
>
>
> We will eventually have something like 20-30 different SSL sites in this
> configuration, along with some IP-based ACLs as well, but I'm not to that
> point as of yet. I am simply trying to get SNI working, to direct to a
> different backend depending on the hostname requested (which, according to
> my reading, should be perfectly doable with haproxy.
>
>
>
> Anybody got any ideas of what I'm doing wrong?
>
>
>
> Thanks for your time!
>
>
>
> Jeremy Utley
>
> ------------------------------
>
> Information in this e-mail may be confidential. It is intended only for
> the addressee(s) identified above. If you are not the addressee(s), or an
> employee or agent of the addressee(s), please note that any dissemination,
> distribution, or copying of this communication is strictly prohibited. If
> you have received this e-mail in error, please notify the sender of the
> error.
>
