Request host on loadbalancer doesn't work as expected might I be doing something wrong?

I got the following on my docker-compose.yml file:

ports:
    - 443:443/tcp
    - 5000:5000/tcp
  labels:
    io.rancher.loadbalancer.target.sslproxy: portus.my.domain:443=443
    io.rancher.loadbalancer.target.registry: registry.my.domain:443=443,5000=5000

I’m expecting to be able to request https://registry.my.domain and https://registry.my.domain:5000 and be able to access to the registry container and at the same time be able to do https://portus.my.domain and access to the sslproxy container that will terminate SSL and connect to portus container.

I’m following the Advance Load Balancer rules on Rancher documentation trying to achieve this -> http://docs.rancher.com/rancher/latest/en/cattle/adding-load-balancers/#advanced-load-balancing-l7 but I just can’t, am I doing something wrong? is this not the expected behavior when adding the <REQUEST_HOST>?

Thanks

As a temporary fix I’m just letting the sslproxy to redirect traffic from registry.my.domain:443 to registry.my.domain:5000 but that’s not what I want I don’t want to relay on that extra container just to redirect.

Notice: that I don’t need SSL termination on the registry url what I want it’s be able query registry.my.domain as if I were querying registry.my.domai:5000 and my registry have the secure flag turned on so it needs to be https

For every service specified on the load balancer, it is registered for every load balancer listening port.

So for your case, I think you’d need to add in a dummy routing rules

http://docs.rancher.com/rancher/latest/en/cattle/adding-load-balancers/#examples-of-using-multiple-ports-in-advanced-routing-options

Thanks @denise!

My last question will be is it not possible to use the same ports? and just rely on the domain name to do the routing? like:

ports:
    - 443:443/tcp
  labels:
    io.rancher.loadbalancer.target.portus: portus.my.domain:443=443
    io.rancher.loadbalancer.target.registry: registry.my.domain:443=443

Only if you do SSL termination at the balancer so it can extract the HTTP Host header from the decrypted request.

(It is actually possible to do hostname routing for SSL requests without termination by looking at the SNI portion of the TLS handshake, but that is not supported yet. I think that made it into the new refractors balancer for 1.2, @alena?)

1 Like

@vincent yes, SNI routing will be a part of LB refactor