Thanks, Jarno, for sorting this out. Running on ipv6 is probably obvious due to 
the bind :::80 and bind :::443 statements. 
This v4v6 extension I got from somewhere and is supposed to be Linux kernel 
specific.


> Am 01.12.2023 um 07:56 schrieb Jarno Huuskonen <jarno.huusko...@uef.fi>:
> 
> Hi,
> 
> On Tue, 2023-11-28 at 16:29 +0100, Christoph Kukulies wrote:
>> I'm wondering why I see haproxy running on ipv6 (Ubuntu 22.04):
>> 
>> Excerpt from haproxy.cfg:
>> 
>> frontend http-in
>> #    bind *:80
>>     bind :::80 v4v6
>> #    bind *:443 ssl crt /etc/haproxy/certs/xxxxxx.pem 
>>     bind :::443 v4v6 ssl crt /etc/haproxy/certs/xxxxxx.pem
>>     bind quic4@0.0.0.0:443 name quic443 ssl crt
>> /etc/haproxy/certs/xxxxxxx.pem proto quic alpn h3,h3-29,h3-28,h3-27 npn
>> h3,h3-29,h3-28,h3-27 allow-0rtt curves secp521r1:secp384r1
>>     http-response add-header alt-svc 'h3=":443"; ma=7200,h3-29=":443";
>> ma=7200,h3-Q050=":443"; ma=7200,h3-Q046=":443"; ma=7200,h3-
>> Q043=":443"; ma=7200,quic=":443"; ma=7200'
>> 
>>     http-request return status 200 content-type text/plain lf-string
>> "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-
>> known/acme-challenge/' }
>> 
> 
> This and "use_backend letsencrypt-backend if letsencrypt-acl" seem like
> duplicate and only one of them is used ?
> 
>>     # Redirect if HTTPS is *not* used
>>     redirect scheme https code 301 if !{ ssl_fc }
>>     acl letsencrypt-acl path_beg /.well-known/acme-challenge/
>> 
>>     use_backend letsencrypt-backend if letsencrypt-acl
>>     default_backend website
>> 
>> In my haproxy.log I see:
>> 
>> Nov 28 16:10:19 mail haproxy[59727]: ::ffff:88.181.85.41:63772
>> [28/Nov/2023:16:10:19.728] http-in http-in/<NOSRV> 0/-1/-1/-1/0 301 97 - -
>> LR-- 1/1/0/0/0 0/0 "GET / HTTP/1.1"
>> 
>> This stems from a request I did that way:
>> 
>> curl http://www.kukulies.org <http://www.kukulies.org/>
>> 
> 
> Seems normal, status code is 301 and you have "redirect scheme https code
> 301 if !{ ssl_fc }"
> Is this what you expect or do you think there're some errors ?

But the http-in/<NOSRV> is bugging me.

--
Christoph

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to