0

I currently have one web server (10.0.0.77) running nginx with multipple vhosts (couple of wordpress sites and nextcloud installation) all running on 1 IP address and everything is secured with a wildcard cert. That is working fine - both internally and externally

Now I want to proxy all the external traffic via HAproxy below is my simplified haproxy config for one wordpres site and nextcloud:

global
log /dev/log    local0
log /dev/log    local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
maxconn 4096
user haproxy
group haproxy
daemon


defaults
log     global
mode    tcp
option  tcplog
option  dontlognull
timeout connect 15s
timeout client  15s
timeout server  15s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http


frontend localhost80  
bind *:80
mode http
redirect scheme https code 301 if !{ ssl_fc }

frontend localhost443   
bind *:443
option tcplog
mode tcp
acl tls req.ssl_hello_type 1
tcp-request inspect-delay 5s
tcp-request content accept if tls

acl is_wordpress req.ssl_sni -i nextcloud.domain.com   
acl is_nextcloud req.ssl_sni -i wordpress.domain.com  

use_backend nextcloud_cluster if is_nextcloud  
use_backend wordpress_cluster if is_wordpress

backend wordpress_cluster
mode tcp
option ssl-hello-chk
server is_wordpress 10.0.0.77:443 check 


backend nextcloud_cluster
mode tcp
option ssl-hello-chk
server is_nextcloud 10.0.0.77:443 check

Problem is that as soon as I repoint the external traffic to run via my haproxy, if I try loding ie. nextcloud.domain.com I will sometimes get wordpress.domain.com and vice versa.

Any ideas where I am going wrong?

Paul
  • 159
  • 1
  • 2
  • 12

1 Answers1

0

When using SNI to differentiate between backends, you should be aware that in this specific case the non-SNI clients won't be able to access the sites.

However, if this is fine with your clients and you still balance onto the same backend (as in the example) you still have redundant information in your configuration. The simpler approach here would be:

frontend localhost443   
  bind *:443
  option tcplog
  mode tcp
  default_backend backend1

backend backend1
  mode tcp
  option ssl-hello-chk
  server server1 10.0.0.77:443 check

Since your setup simply is a layer 4 balancing, if you still get random websites, you would have to look into the webserver running on 10.0.0.77:443 a bit closer: Which webserver, how is it set up, does it produce the same problem when accessed directly?

M. Schmidt
  • 193
  • 14