Hi,
likely, I'm the one doing something wrong, but I can't figure it out.
I have the following configuration:
frontend the_frontend
mode http
bind *:80
bind *:443 ssl crt /etc/haproxy/ssl/star.intern.pem
maxconn 2000
use_backend host1 if { hdr_dom(host) -i host1.intern }
use_backend host2 if { hdr_dom(host) -i host2.intern }
use_backend host3 if { hdr_dom(host) -i host3.intern }
use_backend host4 if { hdr_dom(host) -i host4.intern }
use_backend host5 if { hdr_dom(host) -i host5.intern }
capture request header User-Agent len 500
redirect scheme https code 301 if !{ ssl_fc }
http-request set-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Ssl on if { ssl_fc }
http-response set-header Strict-Transport-Security max-age=15768000
http-response set-header X-Server %s
backend host3
mode http
server server1 10.10.10.11:443 check check-ssl ssl verify none
force-tlsv12 maxconn 3000 cookie s1 check-sni host3.intern
server server2 10.10.10.12:443 check check-ssl ssl verify none
force-tlsv12 maxconn 3000 cookie s2 check-sni host3.intern
option httpclose
option forwardfor
option httpchk GET / HTTP/1.1\r\nHost:\ host3.intern\r\nConnection:\
close
http-check expect string Hello
http-check disable-on-404
cookie SERVERID insert indirect nocache httponly
balance leastconn
stick-table type string len 52 size 100k expire 60m
Healthchecks are OK.
But running a curl gives 503
curl -kv --resolve "host3.intern:443:10.10.10.1" -H "Host:
host3.intern" https://host3.intern:443/bla2
The other side are IIS-hosts and my co-worker says if he disabled SNI on
one host, the rest starts working.
Not sure if the stick-table line is actually correct (someone else built
this).
On of my configs, the stick-table config is a bit larger, like this:
stick-table type string len 52 size 100k expire 60m
stick store-response res.cook(JSESSIONID)
stick on req.cook(JSESSIONID)
But it should not be relevant to the error, right?
Anyone got any ideas?
Regards
Rainer
