HAproxy (type = tcp)

PepperDeb

Hi,

I'm noob with Haproxy since 3-4 days...

It works well with ACME and domains with certificates for my Nextcloud.

but...
I want to redirect a port to my server with Haproxy (port 25565 for Minecraft, without certificate).
If I put Type = TCP (instead of HTTP/HTTPS (offloading)), I have only few choice in the Access Control List's expression. I can't choose "Host matches".
The workaround I found is to choose "Minimum count usable servers:" with value 1. The problem is that it works for domain1.com:25565 AND domain2.com:25565 ...

If I modify my ACL "AccessMC", I have the option "Host matches" ! I can save but when I "apply" changes, I have an error:

Errors found while starting haproxy
[NOTICE] 224/232504 (43202) : haproxy version is 2.2.29-c5b927c
[ALERT] 224/232504 (43202) : parsing [/var/etc/haproxy_test/haproxy.cfg:33] : error detected while parsing switching rule : no such ACL : 'AccessMC'.
[ALERT] 224/232504 (43202) : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg
[ALERT] 224/232504 (43202) : Fatal errors found in configuration. 

I'm missing something or it is a bug ?

(I have Pfsense Plus 23.05.1-RELEASE (amd64) )

viragomann

@PepperDeb said in HAproxy (type = tcp):

If I put Type = TCP (instead of HTTP/HTTPS (offloading)), I have only few choice in the Access Control List's expression. I can't choose "Host matches".

That's expected, since the host header is part of the HTTP protocol (layer 7). In TCP mode (layer 4) HAproxy cannot see a host header to get the name. So the ACL criterias are limited to these once, which are available at layer 4.

The problem is that it works for domain1.com:25565 AND domain2.com:25565 ...

I don't know the Minecraft protocol, but if it's not HTTP based, there might not be a host name included, which HAproxy is able to read out.
So the client just resolves the stated host name to an IP, and this might be the same for both of your public names.

What's even the reason for passing Minecraft over HAproxy?

PepperDeb

@viragomann said in HAproxy (type = tcp):

@PepperDeb said in HAproxy (type = tcp):

If I put Type = TCP (instead of HTTP/HTTPS (offloading)), I have only few choice in the Access Control List's expression. I can't choose "Host matches".

That's expected, since the host header is part of the HTTP protocol (layer 7). In TCP mode (layer 4) HAproxy cannot see a host header to get the name. So the ACL criterias are limited to these once, which are available at layer 4.

Thanks for the explanation.

The problem is that it works for domain1.com:25565 AND domain2.com:25565 ...

I don't know the Minecraft protocol, but if it's not HTTP based, there might not be a host name included, which HAproxy is able to read out.
So the client just resolves the stated host name to an IP, and this might be the same for both of your public names.

What's even the reason for passing Minecraft over HAproxy?

I don't want to have the port open available for both domain. I understand that is impossible with the TCP mode, layer 4. I'll do it with NAT.

Thanks,

viragomann

@PepperDeb said in HAproxy (type = tcp):

I don't want to have the port open available for both domain.

That a wrong point of view. You open the port just on an IP, not on domains. Ports are part of the IP protocol and a single port - IP combination can be used for a single service to listen on.

Domains can be resolved to IP addresses by DNS to get use of it by the IP protocol, and there is no limit on domains you can point on a single IP.
It's just the HTTP protocol that can determine the domain name by the host header, but this happens on layer 7 within the service itself (which is listening on an IP - port combination).