Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't set SNI frontend HAProxy

    Scheduled Pinned Locked Moved Cache/Proxy
    6 Posts 2 Posters 421 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      magickarle
      last edited by

      On frontend as type TCP, I need to set an ACL based on expression SNI extension matches.

      But when i first try to add a new ACL, the only expression i can choose are
      Source IP matches IP or alias
      Minimum count usable servers
      Traffic is http (no value needed)
      Traffic is ssl (no value needed)
      Custom ACL.

      So i did a test:
      Choose in Expression: Traffic is ssl (no value needed)
      Save - Apply. No problem. (i can query the host and i get the site)

      Edit the frontend:
      Edit ACL:
      Now the "Server name indication TLS extension matches" is there.
      Chose it, Save, apply. Error:

      Errors found while starting haproxy
      [NOTICE] (87012) : haproxy version is 2.8.3-86e043a
      [NOTICE] (87012) : path to executable is /usr/local/sbin/haproxy
      [ALERT] (87012) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:31] : error detected while parsing switching rule : no such ACL : 'ubuntuapsportainer'.
      [ALERT] (87012) : config : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg
      [ALERT] (87012) : config : Fatal errors found in configuration.

      logs:
      Nov 30 10:18:39 php-fpm 397 haproxy: check error output: [NOTICE] (87012) : haproxy version is 2.8.3-86e043a [NOTICE] (87012) : path to executable is /usr/local/sbin/haproxy [ALERT] (87012) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:31] : error detected while parsing switching rule : no such ACL : 'ubuntuapsportainer'. [ALERT] (87012) : config : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg [ALERT] (87012) : config : Fatal errors found in configuration.
      Nov 30 10:19:00 php-fpm 398 /status_services.php: The command '/usr/local/etc/rc.d/haproxy.sh stop' returned exit code '1', the output was 'Stopping haproxy. Waiting for PIDS: 93495. Stopping haproxy. No matching processes were found'
      Nov 30 10:19:00 php-cgi 4271 haproxy: starting old pid:93495
      Nov 30 10:19:00 php-cgi 4271 haproxy: started new pid:93495
      Nov 30 10:19:00 php-cgi 4271 haproxy: startup error output!: [NOTICE] (5616) : haproxy version is 2.8.3-86e043a[NOTICE] (5616) : path to executable is /usr/local/sbin/haproxy[ALERT] (5616) : config : parsing [/var/etc/haproxy/haproxy.cfg:31] : error detected while parsing switching rule : no such ACL : 'ubuntuapsportainer'.[ALERT] (5616) : config : Error(s) found in configuration file : /var/etc/haproxy/haproxy.cfg[ALERT] (5616) : config : Fatal errors found in configuration.
      Nov 30 10:19:05 php-fpm 397 haproxy: check error output: [NOTICE] (24782) : haproxy version is 2.8.3-86e043a [NOTICE] (24782) : path to executable is /usr/local/sbin/haproxy [ALERT] (24782) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:31] : error detected while parsing switching rule : no such ACL : 'ubuntuapsportainer'. [ALERT] (24782) : config : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg [ALERT] (24782) : config : Fatal errors found in configuration.

      haproxy 0.63_2

      Name pfSense.home
      System QEMU Guest
      BIOS Vendor: Proxmox distribution of EDK II
      Version: 4.2023.08-4
      Release Date: Thu Feb 15 2024
      Version 2.7.2-RELEASE (amd64)
      built on Mon Mar 4 14:53:00 EST 2024
      FreeBSD 14.0-CURRENT

      The system is on the latest version.
      Version information updated at Sat Nov 30 9:02:21 EST 2024
      CPU Type Common KVM processor
      10 CPUs: 1 package(s) x 10 core(s)
      AES-NI CPU Crypto: No
      QAT Crypto: No

      1 Reply Last reply Reply Quote 0
      • M
        magickarle
        last edited by

        bump

        V 1 Reply Last reply Reply Quote 0
        • V
          viragomann @magickarle
          last edited by

          @magickarle
          If you want HAproxy to check SNI select the type "SSL / https(TCP mode)" in the frontend.

          M 2 Replies Last reply Reply Quote 0
          • M
            magickarle @viragomann
            last edited by

            @viragomann what if i dont want to offload ssl

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @magickarle
              last edited by

              @magickarle
              Then don't check "SSL Offloading" in the listener section.

              1 Reply Last reply Reply Quote 0
              • M
                magickarle @viragomann
                last edited by

                ahh my trouble is with one specefic server. This worked with other ones. Thanks!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.