HAProxy.cfg with SNI support misses ACL

Hi,

concerning the host-based routing I am still struggling with the setup. I think the generated haproxy.cfg misses some parts to properly support SNI.

My setup - as I would like to have it - is as follows:

  • Loadbalancer with 443 and TLS Termination (Idea: Make firewalls happy and route TCP to actual services via haproxy)
  • Several different services (TCP and HTTP) all listening on different hostnames (via subdomains) [e.g. service1.example.com]

Example

  • 2 Services. 1 Service listening on Ports 1883, 9001, other service on Port 8080
  • loadbalancer on port 443.
  • Service on Port 8080 is HTTP, the others are TCP
  • TLS Termination at Haproxy

Generated haproxy.cfg

  • The generated config creates one Frontend and one Backend with a list of servers.
  • So haproxy will use RoundRobin on the backend, which is not what I want. RoundRobin would be fine if I scaled to multiple containers.
frontend 2fb62084-7fb7-4e44-96a2-5a0f6bb8e0b4_443_frontend
        bind *:443  ssl crt /etc/haproxy/certs/
        mode tcp

        default_backend 2fb62084-7fb7-4e44-96a2-5a0f6bb8e0b4_443_0_backend

backend 2fb62084-7fb7-4e44-96a2-5a0f6bb8e0b4_443_0_backend
        mode tcp
        timeout check 2000

        # service1.example.com
        server a1955bdd-8504-47ea-b501-b69b28b3e571 10.42.186.32:1883

        # service2.example.com
        server a1955bdd-8504-47ea-b501-b69b28b3e571 10.42.186.32:9001

        # service3.example.com
        server 386e4313-6bb0-47b2-8647-6c7837c7ac42 10.42.216.160:8080

Expected haproxy.cfg

#  TLS-Relay 
frontend 2fb62084-7fb7-4e44-96a2-5a0f6bb8e0b4_443_frontend
        bind *:443  ssl crt /etc/haproxy/certs/
        mode tcp

       # Get hostname via SNI and select proper Backend

       acl acl_a1955bdd-8504-47ea-b501-b69b28b3e571_1883 req_ssl_sni -i service1.example.com 
       use_backend a1955bdd-8504-47ea-b501-b69b28b3e571_1883_0_backend if acl_a1955bdd-8504-47ea-b501-b69b28b3e571_1883 req_ssl_sni

       acl acl_a1955bdd-8504-47ea-b501-b69b28b3e571_9001 req_ssl_sni -i service2.example.com 
       use_backend a1955bdd-8504-47ea-b501-b69b28b3e571_9001_0_backend if acl_a1955bdd-8504-47ea-b501-b69b28b3e571_9001 req_ssl_sni

       acl acl_386e4313-6bb0-47b2-8647-6c7837c7ac42_8080 req_ssl_sni -i service3.example.com 
       use_backend 386e4313-6bb0-47b2-8647-6c7837c7ac42_8080_0_backend if acl_386e4313-6bb0-47b2-8647-6c7837c7ac42_8080 req_ssl_sni

# service1.example.com
backend a1955bdd-8504-47ea-b501-b69b28b3e571_1883_0_backend
        mode tcp
        timeout check 2000

        server a1955bdd-8504-47ea-b501-b69b28b3e571_1883 10.42.186.32:1883

# service2.example.com
backend a1955bdd-8504-47ea-b501-b69b28b3e571_9001_0_backend
        mode tcp
        timeout check 2000

        server a1955bdd-8504-47ea-b501-b69b28b3e571_9001 10.42.186.32:9001

# service3.example.com
backend 386e4313-6bb0-47b2-8647-6c7837c7ac42_8080_0_backend
        mode tcp
        timeout check 2000

        server 386e4313-6bb0-47b2-8647-6c7837c7ac42_8080 10.42.216.160:8080

Thank you for your help and any suggestions how I can handle this in Rancher without relying on a custom haproxy.

Jan

Rancher 1.0.1

The 443 port needs to be protocol=HTTP, not TCP. Advanced routing is based on the host header, not SNI hint, and with TCP there is no parsing of the request to tell what the host is.

But my service is TCP only. There is no host header in TCP, but in HTTP.

So. Is there another way to get this in there? Custom HAProxy.cfg? Another IP?

Request Host/Path are the HTTP fields and only apply to HTTP listeners. There is not support for SNI routing yet.

1 Like