@kmoschkau wrote:
Hello, hopefully I am making a simple error, but I cannot get ACLs to work with the Frontend in TCP mode. I receive a 502 error when I add the ACL and no traffic gets redirected to the Backend.
I am working off the documentation here: https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#7.3.5-req.ssl_sni
OS is RedHat Hardened AMI in AWS. The server is behind a public load-balancer. HAProxy version 1.8.15.
I have set the default_backend of the Frontend to several different severs and gotten it to resolve, so I believe my Backend configuration is correct. Here is my config:
global log 127.0.0.1 local0 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 4000 user haproxy group haproxy daemon stats socket /var/lib/haproxy/stats defaults mode tcp log global option tcplog option dontlognull option http-server-close retries 100 timeout http-request 30s timeout queue 1m timeout connect 30s timeout client 1m timeout server 1m timeout http-keep-alive 1000s timeout check 30s frontend test bind *:80 bind *:443 mode tcp #default_backend test2.domain2 tcp-request inspect-delay 10s tcp-request content accept if { req_ssl_hello_type 1 } use_backend test1.domain1 if { req.ssl_sni -m end domain1 } backend test1.domain1 mode tcp option ssl-hello-chk server test1.domain1 123.123.123.123:443 backend test2.domain2 mode tcp option ssl-hello-chk server test2.domain2 hostname.domain.com:443Log results
Jul 9 17:44:42 localhost haproxy[14846]: 192.168.13.130:32222 [09/Jul/2019:17:44:42.610] test test/<NOSRV> -1/-1/0 0 SC 2/2/0/0/0 0/0 Jul 9 17:44:42 localhost haproxy[14846]: 192.168.13.130:32224 [09/Jul/2019:17:44:42.610] test test/<NOSRV> -1/-1/0 0 SC 1/1/0/0/0 0/0 Jul 9 17:44:48 localhost haproxy[14846]: 192.168.49.111:49208 [09/Jul/2019:17:44:48.618] test test/<NOSRV> -1/-1/0 0 SC 2/2/0/0/0 0/0 Jul 9 17:44:48 localhost haproxy[14846]: 192.168.49.111:49210 [09/Jul/2019:17:44:48.618] test test/<NOSRV> -1/-1/0 0 SC 1/1/0/0/0 0/0 ...
Posts: 1
Participants: 1