[SOLVED] HAProxy Deleting ACL on modify - Bug or am I missing something?
-
@coatmaker618
'ssl/https' is also a TCP kinda frontend, when looking from haproxy.cfg config perspective, so the host header cannot be inspected there..1- why not use type 'HTTP'? Seems to me it fits the http traffic requirement nicely ;).
2- For SSL its impossible to see the host-header as that header is part of the HTTP-protocol-level-traffic which is encrypted, meaning you cannot read it unless you decrypt it, which needs the certificates and negotiated keys there. You can usually use SNI to point traffic for different domain-names to different servers though..
-
@PiBa the part that concerned me about type "HTTP" is that it's listed as "HTTP/HTTPS (offloading" and it's that offloading that I'm concerned about. If that's misguided I will happily change it.
When you say "For SSL its impossible to see the host-header as that header is part of the HTTP-protocol-level-traffic which is encrypted, meaning you cannot read it unless you decrypt it"
Ok then maybe Host-Header isn't the right requirement if that requires decryption? I may well be saying the wrong things as I'm mostly clueless >_> But surely the internet somehow knows to route HTTPS traffic so there must be some way I can forward/route/direct/whatever HTTPS request based on the subdomain in the requested URL without HAProxy needing to have the cert.
-
I understood your first frontend listens on :80 ? If so type 'HTTP/HTTP(offloading)' would be the correct choice.
For your second frontend on :443, you can use 'SNI' meaning use the acl choice for "Server Name Indication".
-
@PiBa said in HAProxy Deleting ACL on modify - Bug or am I missing something?:
I understood your first frontend listens on :80 ? If so type 'HTTP/HTTP(offloading)' would be the correct choice.
BAM! Nailed it (for HTTP)! I need to add a 2nd server to be 100% sure but this seems to work perfectly right now :) Thank you :)
@PiBa said in HAProxy Deleting ACL on modify - Bug or am I missing something?:
For your second frontend on :443, you can use 'SNI' meaning use the acl choice for "Server Name Indication".
As for HTTPS, not so much. First question, should that be set to offloading too or keep it at https?Second Question (assuming https NOT offloading for 1st question): The only SNI options I see are "SNI TLS extension". If I go for matched/contains how much of a full URL does that include?
-
@coatmaker618
The SNI TLS extension only contains the hostname, and sometimes the port.. so 'www.domain.tld' or 'www.domain.tld:443' could be send in there depending on the client and actual port used.. -
@PiBa that was my guess, but that's strange. Because typing in the FQDN (https://subdomain.mydomain.com) takes me to an apache landing page (which is correct, though admittedly not unique). But typing in (https://subdomain.mydomain.com/folder) seems to hang.....
update: Chrome reports "ERR_EMPTY_RESPONSE"
-
@coatmaker618
Hmm thats a bit strange.. can you check in chrome developer network window the network-requests and check the 'preserve log' checkbox..
I wonder if perhaps its sending a redirect for your folder request to some unexpected (direct) location.?. -
This post is deleted! -
@PiBa I PMed you. Check that & we'll go from there.
-
It's working!! Everything above was enough to get HAProxy working. The rest was issues with the services (moving around on the network was part of the issue, but not all of it).
@PiBa THANK YOU!!!!
-
Now, final order of business, is there a "mark as solved" button or do I just rename the topic to include the word solved?
-
@coatmaker618
Indeed just rename the topic. There is no 'solved' button.