Welcome! Log In Create A New Profile

Advanced

Problems with SNI config

Posted by Jeremy Utley 
Jeremy Utley
Problems with SNI config
April 13, 2017 06:40PM
Hello all!

I'm trying to convert an Apache reverse proxy setup over to using HAProxy,
but am running into issues with SNI. I followed
http://stuff-things.net/2016/11/30/haproxy-sni/ to set this up, but it's
not working, and I have not yet been able to figure out why.

HAProxy version: 1.5.4-3 installed from the EPEL repo on Centos 6 (Policy
here forbids self-compiled versions, so we are limited to only what's
available to us in EPEL)

I've narrowed down the problem to my frontend definition - if I simplify
the front-end to not do SNI, it works fine to either backend. If I add a
default_backend definition, it goes to the default backend no matter which
hostname I provide. Without the default_backend in the frontend
configuration, I get a 503 error from the proxy. So something is
definately not right with my SNI configuration, but I certainly can not
find it!

Here is a sanitized version of my frontend definition in haproxy.cfg:

frontend https-8443
bind 192.168.1.1:8443 ssl crt /etc/haproxy/certs/
use_backend site1 if { hdr(host) -i site1.domain.com }
use_backend site2 if { hdr(host) -i site2.domain.com }


We will eventually have something like 20-30 different SSL sites in this
configuration, along with some IP-based ACLs as well, but I'm not to that
point as of yet. I am simply trying to get SNI working, to direct to a
different backend depending on the hostname requested (which, according to
my reading, should be perfectly doable with haproxy.

Anybody got any ideas of what I'm doing wrong?

Thanks for your time!

Jeremy Utley
Gibson, Brian (IMS)
RE: Problems with SNI config
April 13, 2017 06:50PM
I’ve not tried using ACLs in curly brackets like you are, but I can confirm that this configuration works for me

acl name1 hdr(host) -i www.example.orghttp://www.example.org
acl name2 hdr(host) -i www.example-other.orghttp://www.example-other.org

use_backend backend1 if name1
use_backend backend2 if name2

I use this code specifically to do what you’re trying to do, though I’m using the latest stable build. I’m pretty sure this code should work in 1.5 though as well.

Also if you can’t use self compiled stuff, can you use something like IUS? https://ius.io/

From: Jeremy Utley [mailto:[email protected]]
Sent: Thursday, April 13, 2017 12:29 PM
To: haproxy@formilux.org
Subject: Problems with SNI config

Hello all!

I'm trying to convert an Apache reverse proxy setup over to using HAProxy, but am running into issues with SNI. I followed http://stuff-things.net/2016/11/30/haproxy-sni/ to set this up, but it's not working, and I have not yet been able to figure out why.

HAProxy version: 1.5.4-3 installed from the EPEL repo on Centos 6 (Policy here forbids self-compiled versions, so we are limited to only what's available to us in EPEL)

I've narrowed down the problem to my frontend definition - if I simplify the front-end to not do SNI, it works fine to either backend. If I add a default_backend definition, it goes to the default backend no matter which hostname I provide. Without the default_backend in the frontend configuration, I get a 503 error from the proxy. So something is definately not right with my SNI configuration, but I certainly can not find it!

Here is a sanitized version of my frontend definition in haproxy.cfg:

frontend https-8443
bind 192.168.1.1:8443http://192.168.1.1:8443 ssl crt /etc/haproxy/certs/
use_backend site1 if { hdr(host) -i site1.domain.comhttp://site1.domain.com }
use_backend site2 if { hdr(host) -i site2.domain.comhttp://site2.domain.com }


We will eventually have something like 20-30 different SSL sites in this configuration, along with some IP-based ACLs as well, but I'm not to that point as of yet. I am simply trying to get SNI working, to direct to a different backend depending on the hostname requested (which, according to my reading, should be perfectly doable with haproxy.

Anybody got any ideas of what I'm doing wrong?

Thanks for your time!

Jeremy Utley

________________________________

Information in this e-mail may be confidential. It is intended only for the addressee(s) identified above. If you are not the addressee(s), or an employee or agent of the addressee(s), please note that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this e-mail in error, please notify the sender of the error.
Jeremy Utley
Re: Problems with SNI config
April 13, 2017 11:10PM
Thanks for the suggestion, Brian! First off, IUS *IS* actually on our
allowed list, so I upgraded to the IUS haproxy RPM v1.7.3 (Our local repo
copy does not have 1.7.4 sync'd into it yet - I didn't even realize haproxy
was in the IUS repo). I also converted my configuration to be like you
indicated, and I am unfortunately still having the same issue. Here is my
new front-end configuration (sanitized):

frontend https-8443
bind 192.168.1.1:8443 ssl crt /etc/haproxy/certs/
acl site01 hdr(host) -i site01.domain.com
acl site02 hdr(host) -i site02.domain.com
use_backend site01 if site01
use_backend site02 if site02

If I delete the two use_backend lines, and add a default_backend line, it
works properly.

For additional reference, here are the two backends and my defaults section
as well:

backend site01
balance roundrobin
server server01 192.168.1.2:80

backend site02
balance roundrobin
server server02 192.168.1.3:80

(In this implementation, we're using it more for the proxy functions than
we are the HA functions).

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000


Also, looking at the log file, all I see is:

Apr 13 16:43:37 tc-vpn01 haproxy[8986]: 192.168.1.100:59689
[13/Apr/2017:16:43:37.874] https-8443~ https-8443/<NOSRV> -1/-1/-1/-1/0 503
212 - - SC-- 0/0/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"

Anyone with any ideas?

Thanks,

Jeremy

On Thu, Apr 13, 2017 at 11:41 AM, Gibson, Brian (IMS) <[email protected]>
wrote:

> I’ve not tried using ACLs in curly brackets like you are, but I can
> confirm that this configuration works for me
>
>
>
> acl name1 hdr(host) -i www.example.org
>
> acl name2 hdr(host) -i www.example-other.org
>
>
>
> use_backend backend1 if name1
>
> use_backend backend2 if name2
>
>
>
> I use this code specifically to do what you’re trying to do, though I’m
> using the latest stable build. I’m pretty sure this code should work in
> 1.5 though as well.
>
>
>
> Also if you can’t use self compiled stuff, can you use something like IUS?
> https://ius.io/
>
>
>
> *From:* Jeremy Utley [mailto:[email protected]]
> *Sent:* Thursday, April 13, 2017 12:29 PM
> *To:* haproxy@formilux.org
> *Subject:* Problems with SNI config
>
>
>
> Hello all!
>
>
>
> I'm trying to convert an Apache reverse proxy setup over to using HAProxy,
> but am running into issues with SNI. I followed
> http://stuff-things.net/2016/11/30/haproxy-sni/ to set this up, but it's
> not working, and I have not yet been able to figure out why.
>
>
>
> HAProxy version: 1.5.4-3 installed from the EPEL repo on Centos 6 (Policy
> here forbids self-compiled versions, so we are limited to only what's
> available to us in EPEL)
>
>
>
> I've narrowed down the problem to my frontend definition - if I simplify
> the front-end to not do SNI, it works fine to either backend. If I add a
> default_backend definition, it goes to the default backend no matter which
> hostname I provide. Without the default_backend in the frontend
> configuration, I get a 503 error from the proxy. So something is
> definately not right with my SNI configuration, but I certainly can not
> find it!
>
>
>
> Here is a sanitized version of my frontend definition in haproxy.cfg:
>
>
>
> frontend https-8443
>
> bind 192.168.1.1:8443 ssl crt /etc/haproxy/certs/
>
> use_backend site1 if { hdr(host) -i site1.domain.com }
>
> use_backend site2 if { hdr(host) -i site2.domain.com }
>
>
>
>
>
> We will eventually have something like 20-30 different SSL sites in this
> configuration, along with some IP-based ACLs as well, but I'm not to that
> point as of yet. I am simply trying to get SNI working, to direct to a
> different backend depending on the hostname requested (which, according to
> my reading, should be perfectly doable with haproxy.
>
>
>
> Anybody got any ideas of what I'm doing wrong?
>
>
>
> Thanks for your time!
>
>
>
> Jeremy Utley
>
> ------------------------------
>
> Information in this e-mail may be confidential. It is intended only for
> the addressee(s) identified above. If you are not the addressee(s), or an
> employee or agent of the addressee(s), please note that any dissemination,
> distribution, or copying of this communication is strictly prohibited. If
> you have received this e-mail in error, please notify the sender of the
> error.
>
Lukas Tribus
Re: Problems with SNI config
April 13, 2017 11:40PM
Hello Jeremy,

you are not using SNI, you are using the Host header to pick the backend.

You are also using a non-standard port, so the browser will append the
port to the Host header [1].


If 8443 is the port the browser connects to, your ACL's must look like this:
acl site01 hdr(host) -i site01.domain.com:8443
acl site02 hdr(host) -i site02.domain.com:8443


Regards,
Lukas


[1] https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23
Willy Tarreau
Re: Problems with SNI config
April 14, 2017 11:30AM
Hi Lukas,

On Thu, Apr 13, 2017 at 11:28:16PM +0200, Lukas Tribus wrote:
> [1] https://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.23

Just a quick hint, we really need to get used to replace the outdated
rfc2616 links with the more recent 723x ones, this one is much more
complete :

https://tools.ietf.org/html/rfc7230#section-5.4

(and what you said remains otherwise correct :-))

Willy
Sorry, only registered users may post in this forum.

Click here to login