Hi all,

I'm asking this question here since I read in the docs that if I see "Ixxx"
in the session "termination_state" log I should do so :-)

The error I got while experimenting with the HAP config is as follows:

Jan 29 03:33:44 ip-172-31-45-201 haproxy[124024]: <CLIENT_IP>:44296
[29/Jan/2020:03:33:44.952] fe_https~ host.mydomain.com/<NOSRV>
-1/-1/-1/-1/0 500 0 - - IR-- 1/1/5/0/3 0/0 "GET /api/search HTTP/1.1"

The command that produced it:

$ curl -vsSNiL -H "Host: host.mydomain.com"
https://haproxy.example.com:8443/api/search

And the relevant haproxy-2.0.12 configuration (it's in AWS):

resolvers vpc
    nameserver dns1 172.31.0.2:53
    accepted_payload_size 8192
    resolve_retries       30
    timeout resolve       1s
    timeout retry         2s
    hold valid            30s
    hold other            30s
    hold refused          30s
    hold nx               30s
    hold timeout          30s
    hold obsolete         30s

frontend fe_https
    bind *:8443 ssl crt /etc/haproxy/ssl.d/ alpn h2,http/1.1
    mode http
    option httplog
    use_backend %[req.hdr(host),word(1,:),lower]

backend host.mydomain.com
    mode tcp
    option tcp-check
    tcp-check connect port 443 ssl
    balance source
    default-server inter 60s downinter 30s rise 2 fall 2 slowstart 10s
weight 100 ca-file /etc/ssl/certs/ca-certificates.crt on-marked-down
shutdown-sessions
    server myhost host.mydomain.com:443 verify none check resolvers vpc
resolve-prefer ipv4

Haproxy version dump:

# haproxy -vv
HA-Proxy version 2.0.12-1ppa~xenial 2019/12/21 - https://haproxy.org/
Build options :
  TARGET  = linux-glibc
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -O2 -fPIE -fstack-protector-strong -Wformat
-Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
-fno-strict-aliasing -Wdeclaration-after-statement -fwrapv
-Wno-unused-label -Wno-sign-compare -Wno-unused-parameter
-Wno-old-style-declaration -Wno-ignored-qualifiers -Wno-clobbered
-Wno-missing-field-initializers -Wtype-limits
  OPTIONS = USE_PCRE2=1 USE_PCRE2_JIT=1 USE_REGPARM=1 USE_OPENSSL=1
USE_LUA=1 USE_ZLIB=1 USE_SYSTEMD=1

Feature list : +EPOLL -KQUEUE -MY_EPOLL -MY_SPLICE +NETFILTER -PCRE
-PCRE_JIT +PCRE2 +PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED
+REGPARM -STATIC_PCRE -STATIC_PCRE2 +TPROXY +LINUX_TPROXY +LINUX_SPLICE
+LIBCRYPT +CRYPT_H -VSYSCALL +GETADDRINFO +OPENSSL +LUA +FUTEX +ACCEPT4
-MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINITY +TFO +NS +DL +RT -DEVICEATLAS
-51DEGREES -WURFL +SYSTEMD -OBSOLETE_LINKER +PRCTL +THREAD_DUMP -EVPORTS

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_THREADS=64, default=1).
Built with OpenSSL version : OpenSSL 1.0.2g  1 Mar 2016
Running on OpenSSL version : OpenSSL 1.0.2g  1 Mar 2016
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.1
Built with network namespace support.
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Built with zlib version : 1.2.8
Running on zlib version : 1.2.8
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE2 version : 10.21 2016-01-12
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with the Prometheus exporter as a service

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTX        side=FE|BE     mux=H2
              h2 : mode=HTTP       side=FE        mux=H2
       <default> : mode=HTX        side=FE|BE     mux=H1
       <default> : mode=TCP|HTTP   side=FE|BE     mux=PASS

Available services :
prometheus-exporter

Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace

I'm sure I've done something wrong since I have exactly the same backend
working fine with frontend in TCP mode using "ssl_sni" like so:

frontend fe_https_tcp
    bind *:8443
    mode tcp
    option tcplog
    tcp-request connection reject if !{ src -f /etc/haproxy/whitelist.lst }
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }
    use_backend host.mydomain.com if { req.ssl_sni -i host.mydomain.com }

Thanks,
Igor

Reply via email to