Re: Problems with SNI config

[Willy Tarreau]

Hi Lukas,

On Thu, Apr 13, 2017 at 11:28:16PM +0200, Lukas Tribus wrote:
> [1] https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23

Just a quick hint, we really need to get used to replace the outdated
rfc2616 links with the more recent 723x ones, this one is much more
complete :

   https://tools.ietf.org/html/rfc7230#section-5.4

(and what you said remains otherwise correct :-))

Willy

Re: Problems with SNI config

[Lukas Tribus]

Hello Jeremy,

you are not using SNI, you are using the Host header to pick the backend.

You are also using a non-standard port, so the browser will append the 
port to the Host header [1].



If 8443 is the port the browser connects to, your ACL's must look like this:
acl site01 hdr(host) -i site01.domain.com:8443
acl site02 hdr(host) -i site02.domain.com:8443


Regards,
Lukas


[1] https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23

Re: Problems with SNI config

[Jeremy Utley]

Thanks for the suggestion, Brian!  First off, IUS *IS* actually on our
allowed list, so I upgraded to the IUS haproxy RPM v1.7.3 (Our local repo
copy does not have 1.7.4 sync'd into it yet - I didn't even realize haproxy
was in the IUS repo).  I also converted my configuration to be like you
indicated, and I am unfortunately still having the same issue.  Here is my
new front-end configuration (sanitized):

frontend https-8443
bind 192.168.1.1:8443 ssl crt /etc/haproxy/certs/
acl site01 hdr(host) -i site01.domain.com
acl site02 hdr(host) -i site02.domain.com
use_backend site01 if site01
use_backend site02 if site02

If I delete the two use_backend lines, and add a default_backend line, it
works properly.

For additional reference, here are the two backends and my defaults section
as well:

backend site01
balance roundrobin
server server01 192.168.1.2:80

backend site02
balance roundrobin
server server02 192.168.1.3:80

(In this implementation, we're using it more for the proxy functions than
we are the HA functions).

defaults
modehttp
log global
option  httplog
option  dontlognull
option http-server-close
option forwardfor
option  redispatch
retries 3
timeout http-request10s
timeout queue   1m
timeout connect 10s
timeout client  1m
timeout server  1m
timeout http-keep-alive 10s
timeout check   10s
maxconn 3000


Also, looking at the log file, all I see is:

Apr 13 16:43:37 tc-vpn01 haproxy[8986]: 192.168.1.100:59689
[13/Apr/2017:16:43:37.874] https-8443~ https-8443/ -1/-1/-1/-1/0 503
212 - - SC-- 0/0/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"

Anyone with any ideas?

Thanks,

Jeremy

On Thu, Apr 13, 2017 at 11:41 AM, Gibson, Brian (IMS) 
wrote:

> I’ve not tried using ACLs in curly brackets like you are, but I can
> confirm that this configuration works for me
>
>
>
> acl name1 hdr(host) -i www.example.org
>
> acl name2 hdr(host) -i www.example-other.org
>
>
>
> use_backend backend1 if name1
>
> use_backend backend2 if name2
>
>
>
> I use this code specifically to do what you’re trying to do, though I’m
> using the latest stable build.  I’m pretty sure this code should work in
> 1.5 though as well.
>
>
>
> Also if you can’t use self compiled stuff, can you use something like IUS?
> https://ius.io/
>
>
>
> *From:* Jeremy Utley [mailto:jer...@ifuzioncorp.com]
> *Sent:* Thursday, April 13, 2017 12:29 PM
> *To:* haproxy@formilux.org
> *Subject:* Problems with SNI config
>
>
>
> Hello all!
>
>
>
> I'm trying to convert an Apache reverse proxy setup over to using HAProxy,
> but am running into issues with SNI.  I followed
> http://stuff-things.net/2016/11/30/haproxy-sni/  to set this up, but it's
> not working, and I have not yet been able to figure out why.
>
>
>
> HAProxy version:  1.5.4-3 installed from the EPEL repo on Centos 6 (Policy
> here forbids self-compiled versions, so we are limited to only what's
> available to us in EPEL)
>
>
>
> I've narrowed down the problem to my frontend definition - if I simplify
> the front-end to not do SNI, it works fine to either backend.  If I add a
> default_backend definition, it goes to the default backend no matter which
> hostname I provide.  Without the default_backend in the frontend
> configuration, I get a 503 error from the proxy.  So something is
> definately not right with my SNI configuration, but I certainly can not
> find it!
>
>
>
> Here is a sanitized version of my frontend definition in haproxy.cfg:
>
>
>
> frontend https-8443
>
> bind 192.168.1.1:8443 ssl crt /etc/haproxy/certs/
>
> use_backend site1 if { hdr(host) -i site1.domain.com }
>
> use_backend site2 if { hdr(host) -i site2.domain.com }
>
>
>
>
>
> We will eventually have something like 20-30 different SSL sites in this
> configuration, along with some IP-based ACLs as well, but I'm not to that
> point as of yet.  I am simply trying to get SNI working, to direct to a
> different backend depending on the hostname requested (which, according to
> my reading, should be perfectly doable with haproxy.
>
>
>
> Anybody got any ideas of what I'm doing wrong?
>
>
>
> Thanks for your time!
>
>
>
> Jeremy Utley
>
> --
>
> Information in this e-mail may be confidential. It is intended only for
> the addressee(s) identified above. If you are not the addressee(s), or an
> employee or agent of the addressee(s), please note that any dissemination,
> distribution, or copying of this communication is strictly prohibited. If
> you have received this e-mail in error, please notify the sender of the
> error.
>

RE: Problems with SNI config

[Gibson, Brian (IMS)]

I’ve not tried using ACLs in curly brackets like you are, but I can confirm 
that this configuration works for me

acl name1 hdr(host) -i www.example.org
acl name2 hdr(host) -i www.example-other.org

use_backend backend1 if name1
use_backend backend2 if name2

I use this code specifically to do what you’re trying to do, though I’m using 
the latest stable build.  I’m pretty sure this code should work in 1.5 though 
as well.

Also if you can’t use self compiled stuff, can you use something like IUS? 
https://ius.io/

From: Jeremy Utley [mailto:jer...@ifuzioncorp.com]
Sent: Thursday, April 13, 2017 12:29 PM
To: haproxy@formilux.org
Subject: Problems with SNI config

Hello all!

I'm trying to convert an Apache reverse proxy setup over to using HAProxy, but 
am running into issues with SNI.  I followed 
http://stuff-things.net/2016/11/30/haproxy-sni/  to set this up, but it's not 
working, and I have not yet been able to figure out why.

HAProxy version:  1.5.4-3 installed from the EPEL repo on Centos 6 (Policy here 
forbids self-compiled versions, so we are limited to only what's available to 
us in EPEL)

I've narrowed down the problem to my frontend definition - if I simplify the 
front-end to not do SNI, it works fine to either backend.  If I add a 
default_backend definition, it goes to the default backend no matter which 
hostname I provide.  Without the default_backend in the frontend configuration, 
I get a 503 error from the proxy.  So something is definately not right with my 
SNI configuration, but I certainly can not find it!

Here is a sanitized version of my frontend definition in haproxy.cfg:

frontend https-8443
bind 192.168.1.1:8443 ssl crt /etc/haproxy/certs/
use_backend site1 if { hdr(host) -i 
site1.domain.com }
use_backend site2 if { hdr(host) -i 
site2.domain.com }


We will eventually have something like 20-30 different SSL sites in this 
configuration, along with some IP-based ACLs as well, but I'm not to that point 
as of yet.  I am simply trying to get SNI working, to direct to a different 
backend depending on the hostname requested (which, according to my reading, 
should be perfectly doable with haproxy.

Anybody got any ideas of what I'm doing wrong?

Thanks for your time!

Jeremy Utley



Information in this e-mail may be confidential. It is intended only for the 
addressee(s) identified above. If you are not the addressee(s), or an employee 
or agent of the addressee(s), please note that any dissemination, distribution, 
or copying of this communication is strictly prohibited. If you have received 
this e-mail in error, please notify the sender of the error.