0

I have basic haproxy knowledge and know how to handle the selection of tcp backends depending on the SNI server name.

The relevant lines are

    acl is_myhost req.ssl_sni -i my.host.com
    acl is_otherhost req.ssl_sni -i other.host.com


    use_backend mybackend if is_myhost
    use_backend otherbackend if is_otherhost

Now I'd like to change them to something that allows me to chose the back end also depending on the source ip but I don't know the exact syntax for below pseudo configuration or whether this is possible at all

    acl is_myhost_for_specif req.ssl_sni -i my.host.com <and source ip = 1.2.3.4>
    acl is_myhost_for_others req.ssl_sni -i my.host.com <and source ip != 1.2.3.4>
    acl is_otherhost req.ssl_sni -i other.host.com


    use_backend mybackend1 if is_myhost_for_specific
    use_backend mybackend2 if is_myhost_for_others
    use_backend otherbackend if is_otherhost
gelonida
  • 259
  • 3
  • 16
  • how about asking haproxy directly? – George Y Jun 30 '21 at 05:23
  • I like the persistence and searchability of questions on SO, thus I tried here first. But yes. sending the question to the haproxy mailing list (`haproxy@formilux.org`) is another option. – gelonida Jun 30 '21 at 06:30

1 Answers1

2

Your pseudo-code for ACLs is incorrect, because ACL declaration has no syntax for AND/OR logic. Move that to a place, where you use ACL, like in example below.
For source IP there is src (https://cbonte.github.io/haproxy-dconv/2.2/configuration.html#7.3.3-src), e.g.:

Please note that the syntax for matching two conditions in an if statement is not

use_backend mybackend if condition1 and condition2

but just

use_backend mybackend if condition1 condition2

acl test_network src 192.168.10.0/24
acl test_network src 192.168.20.0/24
acl is_myhost_for_specif req.ssl_sni -i my.host.com

# both acls must be true (is_myhost **and** test_network)
use_backend mybackend1 if is_myhost test_network
use_backend mybackend2 if is_myhost

Order of use_backend is important, so IPs from test_network go to mybackend1 and others go to mybackend2 if SNI matches. Declaring test_network ACL twice here means "src_ip matches 192.168.10.0/24 OR 192.168.20.0/24"

gelonida
  • 259
  • 3
  • 16
tbielaszewski
  • 441
  • 2
  • 5
  • Thanks. Well I knew my pseudo code is wrong. but fortunately it was good enough to explain my intention. Your answer seems to be **exactly** what I was looking for. I didn't know `test_network src`, I didn't know that acls can contain just one condition and that the if statement can combine acls. Will mark as correct answer as soon as I tested it. – gelonida Jul 01 '21 at 13:37
  • the trick of declaring an acl twice is also very helpful – gelonida Jul 01 '21 at 13:38
  • Finally had time to test your answer. There is a small mistake in the line `use_backend mybackend1 if is_myhost and test_network` which has to be `use_backend mybackend1 if is_myhost test_network` (without the `and`. The `and` is implicit. Thanks again – gelonida Jul 05 '21 at 19:24
  • will mark as correct answer as soon as the answer is corrected (my change request needs approval) – gelonida Jul 05 '21 at 19:26
  • I added another comment to my changes as it seems, that 20 reviewers looked at my changes, but didn't feel comfortable accepting them. I hope my additional comment makes the change easier to understand / accept – gelonida Jul 06 '21 at 08:10
  • perhaps you can apply the change to your answer. The review procedure of my edit request is surprisingly slow for serverfault. Probably because haproxy is not that well known. Without my proposed changes haproxy will complain about an unknown `acl` with the name `and` – gelonida Jul 06 '21 at 13:55