Hi,
concerning the host-based routing I am still struggling with the setup. I think the generated haproxy.cfg misses some parts to properly support SNI.
My setup - as I would like to have it - is as follows:
- Loadbalancer with 443 and TLS Termination (Idea: Make firewalls happy and route TCP to actual services via haproxy)
- Several different services (TCP and HTTP) all listening on different hostnames (via subdomains) [e.g. service1.example.com]
Example
- 2 Services. 1 Service listening on Ports 1883, 9001, other service on Port 8080
- loadbalancer on port 443.
- Service on Port
8080
is HTTP, the others are TCP - TLS Termination at Haproxy
Generated haproxy.cfg
- The generated config creates one Frontend and one Backend with a list of servers.
- So haproxy will use RoundRobin on the backend, which is not what I want. RoundRobin would be fine if I scaled to multiple containers.
frontend 2fb62084-7fb7-4e44-96a2-5a0f6bb8e0b4_443_frontend
bind *:443 ssl crt /etc/haproxy/certs/
mode tcp
default_backend 2fb62084-7fb7-4e44-96a2-5a0f6bb8e0b4_443_0_backend
backend 2fb62084-7fb7-4e44-96a2-5a0f6bb8e0b4_443_0_backend
mode tcp
timeout check 2000
# service1.example.com
server a1955bdd-8504-47ea-b501-b69b28b3e571 10.42.186.32:1883
# service2.example.com
server a1955bdd-8504-47ea-b501-b69b28b3e571 10.42.186.32:9001
# service3.example.com
server 386e4313-6bb0-47b2-8647-6c7837c7ac42 10.42.216.160:8080
Expected haproxy.cfg
- I should have one frontend, the TLS-Relay, which takes care of splitting
443
to it’s different destinations. - See also: Enhanced SSL Load Balancing with Server Name Indication (SNI) TLS Extension - HAProxy Technologies
# TLS-Relay
frontend 2fb62084-7fb7-4e44-96a2-5a0f6bb8e0b4_443_frontend
bind *:443 ssl crt /etc/haproxy/certs/
mode tcp
# Get hostname via SNI and select proper Backend
acl acl_a1955bdd-8504-47ea-b501-b69b28b3e571_1883 req_ssl_sni -i service1.example.com
use_backend a1955bdd-8504-47ea-b501-b69b28b3e571_1883_0_backend if acl_a1955bdd-8504-47ea-b501-b69b28b3e571_1883 req_ssl_sni
acl acl_a1955bdd-8504-47ea-b501-b69b28b3e571_9001 req_ssl_sni -i service2.example.com
use_backend a1955bdd-8504-47ea-b501-b69b28b3e571_9001_0_backend if acl_a1955bdd-8504-47ea-b501-b69b28b3e571_9001 req_ssl_sni
acl acl_386e4313-6bb0-47b2-8647-6c7837c7ac42_8080 req_ssl_sni -i service3.example.com
use_backend 386e4313-6bb0-47b2-8647-6c7837c7ac42_8080_0_backend if acl_386e4313-6bb0-47b2-8647-6c7837c7ac42_8080 req_ssl_sni
# service1.example.com
backend a1955bdd-8504-47ea-b501-b69b28b3e571_1883_0_backend
mode tcp
timeout check 2000
server a1955bdd-8504-47ea-b501-b69b28b3e571_1883 10.42.186.32:1883
# service2.example.com
backend a1955bdd-8504-47ea-b501-b69b28b3e571_9001_0_backend
mode tcp
timeout check 2000
server a1955bdd-8504-47ea-b501-b69b28b3e571_9001 10.42.186.32:9001
# service3.example.com
backend 386e4313-6bb0-47b2-8647-6c7837c7ac42_8080_0_backend
mode tcp
timeout check 2000
server 386e4313-6bb0-47b2-8647-6c7837c7ac42_8080 10.42.216.160:8080
Thank you for your help and any suggestions how I can handle this in Rancher without relying on a custom haproxy.
Jan
Rancher 1.0.1