HAProxy allow all suffix

Question

I installed a Server with Proxmox and some lxc container. On this server several domains should run with only one public IP. Currently I'm trying to realize a reverse proxy with HAProxy, but it doesn't allow subfolders or variables.

For example this access is not possible: domain.tld/css/default.css domain.tld/system/login

How can I allow all connections?

My Config:

frontend http_in
    mode tcp
    bind *:80
    bind *:443

    tcp-request inspect-delay 5s
    acl sslv3 req.ssl_ver 3
    tcp-request content reject if sslv3
    tcp-request content accept if { req_ssl_hello_type 1 }

    acl web1 hdr(host) -i domain1.tld

    acl web2 hdr(host) -i domain2.tld

    use_backend web1 if web1
    use_backend web2 if web2

backend web1
        mode tcp
        server web1 10.10.10.110

backend web2
        mode tcp
        server web2 10.10.10.112

Thank you very much.

What about it isn't working? The requests are routing properly? Could you share an example of what isn't working as expected? — jmoney, Dec 11 '18 at 05:07

alili · Answer 1 · 2018-12-12T00:11:01.363

1

According to this link:

https://discourse.haproxy.org/t/tcp-with-acl-possible/283/2

You should set mode to http (not tcp) on the frontend in order to make hdr(host) ACL work. I am using a similar config without any problem with mode set to http.

There should not be any problem about paths (suffixes) once the proxy operation works correctly.

edited Dec 12 '18 at 00:11

answered Dec 12 '18 at 00:03

alili

166
9

Ok, thanks for your help. With this configuration HA Proxy won't start. I set frontend on http mode and the backend on tcp mode. the default mode is tcp. – T. Muyang Dec 12 '18 at 14:05
Yes, also tried. Front and Backend in http mode and I have the same problem. Proxy starts, but the website don't load any css or images and so on – T. Muyang Dec 12 '18 at 18:07
An addition to my configs: The host with proxmox has this in the iptables and route all connection over port 80 and 443 to the guest with haproxy post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 10.10.10.100:80 post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 80 -j DNAT --to 10.10.10.100:80 post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 10.10.10.100:443 post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 443 -j DNAT --to 10.10.10.100:443 – T. Muyang Dec 12 '18 at 18:09
1

You are getting a 404 message from an apache server, which means that your request reaches the backend. Do the css, img etc. load on local ip? like http://10.10.10.110/css/style.css – alili Dec 12 '18 at 20:01
Thanks a lot. It was a apache config problem: Options Indexes FollowSymLinks Require all granted AllowOverride All...... – T. Muyang Dec 13 '18 at 08:40

T. Muyang · Answer 2 · 2018-12-12T14:31:39.967

haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2018-12-12 14:03:06 UTC; 6s ago
     Docs: man:haproxy(1)
           file:/usr/share/doc/haproxy/configuration.txt.gz
  Process: 4294 ExecStart=/usr/sbin/haproxy-systemd-wrapper -f $CONFIG -p $PIDFILE $EXTRAOPTS (code=exited, status=0/SUCCESS)
  Process: 4322 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=1/FAILURE)
 Main PID: 4294 (code=exited, status=0/SUCCESS)

Dec 12 14:03:06 haproxy systemd[1]: haproxy.service: Control process exited, code=exited status=1
Dec 12 14:03:06 haproxy systemd[1]: Failed to start HAProxy Load Balancer.
Dec 12 14:03:06 haproxy systemd[1]: haproxy.service: Unit entered failed state.
Dec 12 14:03:06 haproxy systemd[1]: haproxy.service: Failed with result 'exit-code'.
Dec 12 14:03:06 haproxy systemd[1]: haproxy.service: Service hold-off time over, scheduling restart.
Dec 12 14:03:06 haproxy systemd[1]: Stopped HAProxy Load Balancer.
Dec 12 14:03:06 haproxy systemd[1]: haproxy.service: Start request repeated too quickly.
Dec 12 14:03:06 haproxy systemd[1]: Failed to start HAProxy Load Balancer.
Dec 12 14:03:06 haproxy systemd[1]: haproxy.service: Unit entered failed state.
Dec 12 14:03:06 haproxy systemd[1]: haproxy.service: Failed with result 'exit-code'.


Dec 12 14:03:06 haproxy haproxy[4320]: [ALERT] 345/140306 (4320) : Fatal errors found in configuration.
Dec 12 14:03:06 haproxy haproxy[4321]: [ALERT] 345/140306 (4321) : http frontend 'http_in' (/etc/haproxy/haproxy.cfg:41) tries to use incompatible tcp backend 'web1' (/etc/haproxy/haproxy.cfg:61) in a 'use_backend' rule (see 'mode').
Dec 12 14:03:06 haproxy haproxy[4321]: [ALERT] 345/140306 (4321) : http frontend 'http_in' (/etc/haproxy/haproxy.cfg:41) tries to use incompatible tcp backend 'web2' (/etc/haproxy/haproxy.cfg:65) in a 'use_backend' rule (see 'mode').
 Dec 12 14:03:06 haproxy haproxy[4321]: [ALERT] 345/140306 (4321) : Fatal errors found in configuration.
Dec 12 14:03:06 haproxy haproxy[4322]: [ALERT] 345/140306 (4322) : http frontend 'http_in' (/etc/haproxy/haproxy.cfg:41) tries to use incompatible tcp backend 'web1' (/etc/haproxy/haproxy.cfg:61) in a 'use_backend' rule (see 'mode').
Dec 12 14:03:06 haproxy haproxy[4322]: [ALERT] 345/140306 (4322) : http frontend 'http_in' (/etc/haproxy/haproxy.cfg:41) tries to use incompatible tcp backend 'web2' (/etc/haproxy/haproxy.cfg:65) in a 'use_backend' rule (see 'mode').

Do I understand something wrong?

I don't believe you can route http frontend requests to a tcp backend was the error message notes. — jmoney, Dec 15 '18 at 19:23

HAProxy allow all suffix

2 Answers2