TCP routing by domain?

Helllo, I’m having trouble routing traffic based on domain, working with TCP.
Idea is - always use “main” backend, and only use recaptcha backend for domains matching the ACL.

Tried using -
req.ssl_sni -i
req.ssl_sni -m sub -i
req.payload(5,16) -m sub

nothing seems to work, please help

 global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

    defaults
        log     global
        mode    tcp
        option  tcplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
#log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r"


listen stats
bind  :9000
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth login:pass



    frontend squid
        bind *:8000
mode tcp
    option tcplog

#    option httplog

        default_backend main


#acl whoer req.payload(5,16) -m sub whoer.net
acl whoer req.ssl_sni -i whoer.net




use_backend recaptcha if whoer










    backend main

stick-table type ip size 2 nopurge
stick on dst

    option httpchk GET / HTTP/1.1\r\nHost:\ google.com

        balance roundrobin
    #   balance first
        mode tcp
        default-server  fall 5 rise 1
timeout check 7s

        server squid1 private.myserver:1001 check inter 15s


#       server googler  google.com check inter 5s

backend recaptcha
stick-table type ip size 2 nopurge
stick on dst

  mode tcp
        server recap1 private.myserver.net:1005

6 posts - 2 participants

Read full topic