0

I'm balancing 3 fronts with HAProxy, but I want to use always the same backend/server with a specific subdomain (admin.mysite.com).
HAProxy is not terminating SSL (I was told this is not good, is better to do that with nginx), so I'm using req_ssl_sni to detect the subdomain because I cannot use acl rules.
But for some reason to some users HAProxy is connecting to the incorrect front when requesting the subdomain, I cannot understand why, this is my config: 

global
        debug
        maxconn 16000
        daemon
        ssl-default-bind-options force-tlsv12
        tune.ssl.default-dh-param 2048
    stats socket /var/run/haproxy/info.sock mode 600 level admin
        stats timeout 2m

defaults
        log global
        retries 0
        timeout connect 5s
        timeout server 50s
        timeout client 50s
        default-server init-addr libc,none

frontend frontend-http
        bind *:80
        maxconn 10000
        mode http
        option forwardfor

        use_backend admin-nossl if { hdr_dom(host) -i admin.mysite.com }
        use_backend users-nossl if { hdr_dom(host) -i www.mysite.com }
        use_backend users-nossl if { hdr_dom(host) -i mysite.com }

        default_backend redirect-https

frontend frontend-https-public
        bind *:443
        maxconn 10000
        mode tcp
        option tcplog

        tcp-request inspect-delay 5s
        tcp-request content accept if { req.ssl_hello_type 1 }

        use_backend admin if { req_ssl_sni -i admin.mysite.com }
        use_backend users if { req_ssl_sni -i www.mysite.com }
        use_backend users if { req_ssl_sni -i mysite.com }

backend redirect-https
        mode http
        redirect scheme https code 301

backend admin-nossl
        mode http
        server frontend01 [//FRONT_1_IP//]:80 check resolve-prefer ipv4

backend admin
    mode tcp
        server frontend01 [//FRONT_1_IP//]:443 check resolve-prefer ipv4 send-proxy

backend users-nossl
        mode http
        balance roundrobin
        server frontend01 [//FRONT_1_IP//]:80 check resolve-prefer ipv4

backend users
        mode tcp
        balance roundrobin
        stick-table type binary len 32 size 30k expire 30m
    stick on src
        server frontend01 [//FRONT_1_IP//]:443 check resolve-prefer ipv4 send-proxy
        server frontend02 [//FRONT_2_IP//]:443 check resolve-prefer ipv4 send-proxy
        server frontend03 [//FRONT_3_IP//]:443 check resolve-prefer ipv4 send-proxy

Is this a bug in HAProxy or there is something wrong with my config?

Enrique
  • 143
  • 1
  • 5

1 Answers1

0

SNI requires client support. In other words you might ask those who don't get redirected to the admin backend to try a known good web browser to confirm whether this is actually a problem with your config or HAProxy itself.

That said I see very little reason since a few years back not to let HAProxy terminate client TLS traffic and start its own TLS session to the backend servers, which would let you use it in much more flexible and advanced ways if the need would arise. Unless you have massive client traffic - in which case you should probably invest in TLS offloading hardware for your servers anyway - the benefits from being able to analyze incoming client traffic before it hits the web services usually overweigh any performance overhead.

Mikael H
  • 5,031
  • 2
  • 9
  • 18
  • the user with the problem tried Chrome, Brave and Edge, also using his phone – Enrique Jan 06 '20 at 19:21
  • Some regulatory requirements do not allow you to decrypt information until it gets to the endpoint, which is a good reason. – LTPCGO Jan 07 '20 at 03:15
  • 1
    @LTPCGO, Yes, but that's a regulatory, not a technical reason (which also probably is a bit of a grey area: are load balancers for a system part of the system if they are necessary for its functionality, for example). But I was commenting what the OP said regarding it being better to do TLS termination in Nginx, and I simply don't agree that's true in most cases. – Mikael H Jan 07 '20 at 09:05