How to force a specific routing based on SNI in HAProxy?

Question

I have the following HAProxy configuration:

listen sni-443
    bind *:443
    mode tcp

    timeout connect  4s
    timeout client   3m
    timeout server   3m
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }
    acl no-ssl req.ssl_hello_type 0

    use-server backend1.default.svc.cluster.local if !no-ssl { req_ssl_sni -i www.example.com }
    server  backend1.default.svc.cluster.local  10.96.245.95:443 weight 0

    use-server backend2.default.svc.cluster.local if !no-ssl { req_ssl_sni -i demo.example.com }
    server  backend2.default.svc.cluster.local  10.96.184.199:443 weight 0

If I visit www.example.com, everything is fine. But when I do so after having reloaded demo.example.com with high frequency (hammering on Shift-Ctrl-R in the browser), I end up at demo.example.com. Yes, exactly: I open www.example.com in the browser but HAProxy routes that to backend2 (which returns an error).

Apparently, HAProxy does not fully understand that the two services are not alternatives for load balancing but very distinct products. How can I ensure that www.example.com ends up with backend1?

Call me old school, but for clarity I prefer to keep separate `frontend` and `backend` sections rather than a mixed `listen` section. Anyway your config otherwise looks fine and I see nothing here that would cause the problem. Do you have something else in front of haproxy? — Michael Hampton, Sep 24 '21 at 14:53
No. But I currently investigate whether that fact that the TLS certs for both backends contain both domains (in other words, the same certificate with aliases) may confuse HAproxy. — Torsten Bronger, Sep 24 '21 at 17:42

score 2 · Answer 1 · answered Sep 24 '21 at 12:20

2

This is an example from docs for req_ssl_sni:

tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend bk_allow if { req_ssl_sni -f allowed_sites }
default_backend bk_sorry_page

You probably need tcp-request inspect-delay set to something, because not setting it, means haproxy doesn't wait at all and has no idea what SNI was.
Longer explaination in docs for tcp-request inspect-delay

answered Sep 24 '21 at 12:20

tbielaszewski

441
2
5

I added further settings to my minimal configuration. They don’t prevent this unfortunate behaviour of HAProxy. What is the difference between `use_backend` and `use-server`? May this be the cause? – Torsten Bronger Sep 24 '21 at 13:01
`server` is single IP:PORT service while `backend` is a whole config structure in haproxy, like `listen` or `frontend`, which contains its own rules, ACLs and servers. defining seperate backends and putting servers there could perhaps help seperate those servers further. can you post some haproxy logs, with SNI in them if possible? – tbielaszewski Sep 24 '21 at 19:30

How to force a specific routing based on SNI in HAProxy?

1 Answers1