Random ACL missmatch

Hey there,

I’m running haproxy 2.0.14-1~bpo10+1 2020/04/16.

I’m encountering the error, that in one request all ACL’s work just fine. And if I or someone else reloads the site or connects for the first time, the ACL’s wont work anymore.
This is random. Sometimes it works sometimes it doesn’t.

I’m running not running any SSL/TLS Certificate on the haproxy.

I’m not sure what can cause this.
Here’s my config:

global
        log /dev/log    local0 info
        log /dev/log    local1 info
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
#       ca-base /etc/ssl/certs
#       crt-base /etc/ssl/private

        # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options ssl-min-ver TLSv1.2

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http




frontend server_http
        bind *:80

        #acl's

                ##sahnee public stuff
                #sahnee.de
                acl is_sahneedehttp hdr(host) -i sahnee.de
                acl is_sahneedehttp1 hdr(host) -i www.sahnee.de

                #sahnee.dev
                acl is_autodiscover hdr(host) -m beg -i autodiscover.sahnee.dev
                acl is_autodiscover2 hdr(host) -i autodiscover.sahnee.dev
                acl is_autodiscover3 hdr_beg(host) -i autodiscover.sahnee.dev
                acl is_autodiscover4 hdr(host) -m sub -i Autodiscover.xml
                acl is_autodiscover5 hdr(host) -m dom -i autodiscover.sahnee.dev
                acl is_sahneedevhttp hdr(host) -i sahnee.dev
                acl is_sahneedevhttp1 hdr(host) -i www.sahnee.dev
                ##sahnee internal stuff

                ##other stuff

        #custom backends
        use_backend autodiscover_http if is_autodiscover
        use_backend autodiscover_http if is_autodiscover2
        use_backend autodiscover_http if is_autodiscover3
        use_backend autodiscover_http if is_autodiscover4 or is_autodiscover5
        use_backend sahneeserverhttp if is_sahneedevhttp or is_sahneedevhttp1 or is_sahneedehttp or is_sahneedehttp1
        #Default Backend
        default_backend hosting_defaulthttp

frontend server_https
        mode tcp
        bind *:443
        option tcplog
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }

        #acl's

                ##sahnee stuff
                acl is_sahneedev req_ssl_sni -i sahnee.dev
                acl is_sahneedev1 req_ssl_sni -i www.sahnee.dev
                acl is_sahneede req_ssl_sni -i sahnee.de
                acl is_sahneede1 req_ssl_sni -i www.sahnee.de
                acl is_autodiscover req.ssl_sni -m beg -i autodiscover.sahnee.dev
                acl is_autodiscover2 req.ssl_sni -i autodiscover.sahnee.dev
                acl is_autodiscover3 req.ssl_sni -m sub -i Autodiscover.xml
                ##sahnee internal stuff
                acl is_vault req.ssl_sni -i vault.sahnee.internal
                ##other stuff

        #other backends
        use_backend vault_https if is_vault
        use_backend sahneeserverhttps if is_sahneedev or is_sahneedev1 or is_sahneede or is_sahneede1
        use_backend autodiscover_https if is_autodiscover or is_autodiscover2 or is_autodiscover3

        #Default Backend
        default_backend hosting_defaulthttps

backend hosting_defaulthttp
        http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
        server websrv02 10.12.10.118

backend hosting_defaulthttps
        mode tcp
        server websrv02https 10.12.10.118

backend sahneeserverhttps
        mode tcp
        server websrv01 10.12.10.10

backend sahneeserverhttp
        server websrv01 10.12.10.10

#internal servers
backend autodiscover_http
        server exchange_http 10.11.10.106

backend autodiscover_https
        mode tcp
        server exchange_https 10.11.10.106

backend vault_https
        mode tcp
        server vault 10.11.10.105:8200

so far I think I’ve tried a whole lot…
Thats why some things look strange and the autodiscover acls are mixed up.

Thanks ahead for any help

1 post - 1 participant

Read full topic