Mixed http tcp works, but

So I have a work in progress configuration. Which works if you the comment the bind lines that are used instead of the unix bind lines.

I figured this would work but, it simply does not.

How can I configure this so that sockets are used instead of tcp?

My haproxy -vv

HAProxy version 2.9.9-ad75c48 2024/06/14 - https://haproxy.org/
Status: stable branch - will stop receiving fixes around Q1 2025.
Known bugs: http://www.haproxy.org/bugs/bugs-2.9.9.html
Running on: FreeBSD 14.1-RELEASE-p3 FreeBSD 14.1-RELEASE-p3 GENERIC amd64
Build options :
  TARGET  = freebsd
  CPU     = generic
  CC      = cc
  CFLAGS  = -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wnull-dereference -fwrapv -Wno-unknown-warning-option -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment -DFREEBSD_PORTS
  OPTIONS = USE_GETADDRINFO=1 USE_OPENSSL=1 USE_ACCEPT4=1 USE_ZLIB=1 USE_CPU_AFFINITY=1 USE_QUIC=1 USE_PROMEX=1 USE_PCRE2=1 USE_PCRE2_JIT=1 USE_QUIC_OPENSSL_COMPAT=1
  DEBUG   = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS

Feature list : -51DEGREES +ACCEPT4 -BACKTRACE +CLOSEFROM +CPU_AFFINITY -CRYPT_H -DEVICEATLAS -DL -ENGINE -EPOLL -EVPORTS +GETADDRINFO +KQUEUE -LIBATOMIC +LIBCRYPT -LINUX_CAP -LINUX_SPLICE -LINUX_TPROXY -LUA -MATH -MEMORY_PROFILING -NETFILTER -NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_AWSLC -OPENSSL_WOLFSSL -OT -PCRE +PCRE2 +PCRE2_JIT -PCRE_JIT +POLL -PRCTL +PROCCTL +PROMEX -PTHREAD_EMULATION +QUIC +QUIC_OPENSSL_COMPAT -RT +SHM_OPEN -SLZ +SSL -STATIC_PCRE -STATIC_PCRE2 -SYSTEMD -TFO +THREAD -THREAD_DUMP +TPROXY -WURFL +ZLIB

Default settings :
  bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=1).
Built with OpenSSL version : OpenSSL 3.0.12 24 Oct 2023
Running on OpenSSL version : OpenSSL 3.0.13 30 Jan 2024
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
OpenSSL providers loaded : default
Built with the Prometheus exporter as a service
Built with zlib version : 1.3
Running on zlib version : 1.3.1
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with PCRE2 version : 10.43 2024-02-16
PCRE2 library supports JIT : yes
Encrypted password support via crypt(3): yes
Built with clang compiler version 16.0.6 (https://github.com/llvm/llvm-project.git llvmorg-16.0.6-0-g7cbf1a259152)

Available polling systems :
     kqueue : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use kqueue.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
       quic : mode=HTTP  side=FE     mux=QUIC  flags=HTX|NO_UPG|FRAMED
         h2 : mode=HTTP  side=FE|BE  mux=H2    flags=HTX|HOL_RISK|NO_UPG
       fcgi : mode=HTTP  side=BE     mux=FCGI  flags=HTX|HOL_RISK|NO_UPG
         h1 : mode=HTTP  side=FE|BE  mux=H1    flags=HTX|NO_UPG
  <default> : mode=HTTP  side=FE|BE  mux=H1    flags=HTX
       none : mode=TCP   side=FE|BE  mux=PASS  flags=NO_UPG
  <default> : mode=TCP   side=FE|BE  mux=PASS  flags=

Available services : prometheus-exporter
Available filters :
        [BWLIM] bwlim-in
        [BWLIM] bwlim-out
        [CACHE] cache
        [COMP] compression
        [FCGI] fcgi-app
        [SPOE] spoe
        [TRACE] trace

global
        default-path config

        maxconn 5000

        chroot /var/run/haproxy/
        user haproxy
        group haproxy

        daemon
        pidfile /var/run/haproxy.pid

        hard-stop-after 5m

        # Stats
        stats socket /var/run/haproxy-svc1.sock level admin mode 600 user haproxy expose-fd listeners
        stats timeout 1h

        # send logs to stderr for logging via the service manager
        log stderr local0 info
        log 127.0.0.1:514 local0

        # intermediate security for SSL, from https://ssl-config.mozilla.org/
        ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
        ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
        ssl-default-bind-options prefer-client-ciphers no-tls-tickets

# default settings common to all HTTP proxies below
defaults http
        mode http
        log global
        timeout client 1m
        timeout server 1m
        timeout connect 10s
        timeout http-keep-alive 2m
        timeout queue 15s
        timeout tunnel 4h  # for websocket

# provide a stats page on port 8181
frontend stats
        bind :8181
        # provide advanced stats (ssl, h2, ...)
        stats uri /
        stats show-modules
        # some users may want to protect the access to their stats and/or to
        # enable admin mode on the page from local networks
        #  stats auth admin:mystats
        #  stats admin if { src 10.0.0.0/8 172.16.0.0/12 192.168.50.0/16 127.0.0.0/8 }

cache cache
        total-max-size 200        # RAM cache size in megabytes
        max-object-size 10485760  # max cacheable object size in bytes
        max-age 3600              # max cache duration in seconds
        process-vary on           # handle the Vary header (otherwise don't cache)

# TCP frontend, that splits https to a https backend and passes TCP to tcp
# frontend fe_main_tcp
#         mode tcp
# #       option tcp-smart-accept
#         option tcplog
#         #bind :80,:443
#         tcp-request inspect-delay 10s

#         use_backend web_staging if { req_ssl_sni -i www.someurl.com }

#         default_backend be_main_tcp

# backend be_main_tcp
#         mode tcp
# #       option tcp-smart-connect
#         server common-http unix@/var/run/haproxy/common-http.sock
#         #server common-http unix@common-http.sock send-proxy-v2

listen tcp_to_https
        mode tcp
        bind :80
        bind :443 
        
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }

        #server httpsbackend 127.0.0.1:8443 check
        server httpsbackend unix@/var/run/haproxy/httpsocket.sock check

frontend https

        mode http
        option httpslog
        bind unix@/var/run/haproxy/httpsocket.sock user haproxy mode 600 ssl crt /usr/local/share/certificates/ ssl-min-ver TLSv1.2 alpn h2,http/1.1
        #bind *:8443 ssl crt /usr/local/share/certificates/ ssl-min-ver TLSv1.2 alpn h2,http/1.1
        
        option socket-stats  # provide per-bind line stats

        ## set HSTS for one year after all responses 
        # http-after-response set-header Strict-Transport-Security "max-age=31536000"
        http-request redirect scheme https code 301 if !{ ssl_fc }

        # silently ignore connect probes and pre-connect without request
        option http-ignore-probes

        # pass client's IP address to the server and prevent against attempts
        # to inject bad contents
        http-request del-header x-forwarded-for
        option forwardfor

        # enable HTTP compression of text contents
        compression algo deflate gzip
        compression type text/ application/javascript application/xhtml+xml image/x-icon

        # enable HTTP caching of any cacheable content
 #       http-request  cache-use cache
 #       http-response cache-store cache

        use_backend %[req.hdr(host),lower,map(/usr/local/etc/haproxy/maps/backendselect.map)] if { req.hdr(host),lower,map(/usr/local/etc/haproxy/maps/backendselect.map) -m found }
        default_backend web_staging

# backend backend2
# mode tcp
# server server2 192.168.0.101:443 check

# backend backend3
# mode tcp
# server server3 192.168.0.102:443 check

# #SSL Terminated by HAProxy Backends (plain http traffic between HAProxy and these backends)
# backend backend4
# mode http
# server server4 192.168.0.104:80 check
# http-request set-header X-Forwarded-Port %[dst_port]
# http-request add-header X-Forwarded-Proto https if { ssl_fc }

# backend backend5
# mode http
# server server5 192.168.0.105:80 check
# http-request set-header X-Forwarded-Port %[dst_port]
# http-request add-header X-Forwarded-Proto https if { ssl_fc }
#########haproxy.cfg_END#################

backend web_staging
        mode http
        # Algorithm:
        #  - roundrobin is usually better for short requests,
        #  - leastconn is better for mixed slow ones, and long transfers,
        #  - random is generally good when using multiple load balancers
        balance random

        # abort if the client clicks on stop.
        option abortonclose

        # insert a session cookie for user stickiness
        cookie app1 insert indirect nocache

        # check the servers' health using HTTP requests
        option httpchk

        http-check send meth GET uri / ver HTTP/1.1 hdr host staging.someurl.com
        http-request set-header hdr staging.someurl.com

        http-request set-header X-Forwarded-Host %[req.hdr(Host)]
        http-request set-header X-Forwarded-Port 443
        http-request set-header X-Forwarded-Proto https
        #http-request set-header Host %[req.hdr(Host)]
        http-request set-header Host staging.someurl.com

        default-server ssl verify none

        # do not overload the servers (100 concurrent conns max each)
        server staging-windows-webserver 192.168.50.50:443 cookie s1 maxconn 100 check inter 1s
        #server srv2 192.0.2.2:80 cookie s2 maxconn 100 check inter 1s
        #server srv3 192.0.2.3:80 cookie s3 maxconn 100 check inter 1s
        #server srv4 192.0.2.4:80 cookie s4 maxconn 100 check inter 1s

3 posts - 2 participants

Read full topic