0

I have a question about a acls with path_beg in https frontend .

My enviroment :

haproxy ==> acl 1 /web1 ===> https://app/web1 haproxy ==> acl 2 /web2 ==> https://app/web2

Config: 

frontend https-in
    mode tcp
    bind xxx.xxx.xxx.xxx:443

tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }

  acl host_https-app2 req_ssl_sni -i  app.example.com
  use_backend app2_https  if host_https-app2





  backend app2_https
        mode tcp
        balance source

  stick-table type binary len 32 size 30k expire 30m
  acl clienthello req_ssl_hello_type 1
  acl serverhello rep_ssl_hello_type 2

  tcp-request inspect-delay 5s
  tcp-request content accept if clienthello

  tcp-response content accept if serverhello

  stick on payload_lv(43,1) if clienthello

  stick store-response payload_lv(43,1) if serverhello

  option ssl-hello-chk


  server  srv1-HTTPS srv1:443 check
  server  srv2-HTTPS srv2:443 check backup

My monitoring example : 

 tcp-check connect port 443
tcp-check send GET\ /web1\ HTTP/1.0\r\n
tcp-check send Host:\ app.example.com\r\n
tcp-check send \r\n
tcp-check expect rstring (2..|3..)

Thanks!

Fabio Abreu
  • 21
  • 5
  • I need configure 2 context /web1 and /web2 , this context are virtual hosts of IIS 7.5. – Fabio Abreu Jan 27 '16 at 10:27
  • What do you meant by *context*? Are you saying you want to send `/web1` and `/web2` to different backends? – GregL Jan 28 '16 at 13:33
  • @GregL i need forward requision of subdirectories and same backends, example : app.example.com/web1 and app.example.com/web2 forward for backend-web. In this case web1 and web2 is are virtual hosts of iis . – Fabio Abreu Jan 28 '16 at 15:08
  • My difficult is a config mode tcp + ssl sni + subdirectories (ex, path_beg).[ – Fabio Abreu Jan 28 '16 at 15:09
  • As I mentioned below, when you're in `mode tcp`, you can't use anything above the IP layer, so `hdr` and `path_beg` won't work. You'll have to either 1) switch to `mode http` and terminate SSL at HAProxy, or 2) forward everything coming into the frontend to the same backend (which might be simplified by just having a `listen` section instead). Do you have multiple FQDNs and backends, or just the one? – GregL Jan 28 '16 at 15:13
  • I change my config for monitoring https://example/web1 and /web2 , i put my example in my question and now i try using tcp-checks and monitoring urls for HA. – Fabio Abreu Feb 01 '16 at 19:14
  • I've read and re-read your comment and the added config with `tcp-check` (which won't work BTW since you're speaking clear text when connected to an SSL encrypted port), but I still can't quite figure out what you want to do. Can you post your *full* HAProxy config, sanitized of course. It might help us to grasp your end goal. – GregL Feb 01 '16 at 19:40
  • I've just re-read your question again, and I don't think you're going to be able to achieve what you're looking for (`mode tcp`, plus `hdr` or `path_beg`). They're pretty well mutually exclusive configuration options. It *might* be possible to make backend selections based on SNI, but you'd have to test it since it would require that HAproxy try and decode anything above layer4. Certainly it's not going to be possible to switch backends depending on the path, since that's *inside* the encrypted connection as part of the HTTP request. – GregL Feb 02 '16 at 04:18

1 Answers1

-1

Give this a try..

frontend https-in
    mode    http
    option  httplog
    bind    xxx.xxx.xxx.xxx:443

    <...>

    use_backend app2_https if { hdr(host) -i app.example.com } { path_beg /web2/ }

    <...>

backend app2_https
    mode    http
    option  httplog        

    <...>

    option  ssl-hello-chk
    server  srv1-HTTPS srv1:443 check
    server  srv2-HTTPS srv2:443 check backup

    <...>
Tan Hong Tat
  • 970
  • 5
  • 6
  • I dont forward the requisition because the haproxy can't find the backend definition. localhost haproxy[12250]: :58957 [28/Jan/2016:08:44:45.588] stats stats/ 0/0/3 42913 LR 1/1/0/0/0 0/0 – Fabio Abreu Jan 28 '16 at 10:46
  • This config isn't going to work. You're in `mode tcp` so the anonymous ACL in the `use_backend` line that references `hdr` isn't ever going to match since the packets aren't decoded to that level. – GregL Jan 28 '16 at 13:30
  • Right, I failed to notice it's in `mode tcp`. You have to switch the `mode http` to have SSL terminated at HAProxy, so that it can do the matching. – Tan Hong Tat Jan 29 '16 at 05:19
  • I try to use tcp-check for monitoring the context and forward the requisition if entry in alarm condition, i don't change the mode of frontend because i have other enviroments in my HAPROXY. I edit my question and put my tcp-check for example. – Fabio Abreu Feb 01 '16 at 19:05
  • but how to set mode of frontend to http and the mode of the backend to tcp? I'm getting an error. – zypro Apr 18 '16 at 10:28
  • 1
    @zypro - You can't. TCP mode is a lower level protocol than HTTP. – Tan Hong Tat Apr 19 '16 at 05:23