3. haproxy configuration generation hiccup

haproxy configuration generation hiccup


  • Hi,

    I've been tinkering with haproxy and I like it very much. My system is virtualized (KVM) with two instances and CARP and pfSense 2.4.4-RELEASE-p3. Haproxy version is 0.59_19.
    Please have a look at my attached config. There's this domain ip.domain1.net which should use regex ^ip.domain1.net(:([0-9]){1,5})?$ but instead is uses ^images.domain1.net(:([0-9]){1,5})?$
    I don't know how exactly this is possible. Even if I remove the images.domain1.net backend completely, the regex still says ^images even there is no occurence of images in the WebGUI.
    This might be a bug, right? Is this maybe due to my ha sync?

    global
        maxconn                 10000
        stats socket /tmp/haproxy.socket level admin
        uid                     80
        gid                     80
        nbproc                  1
        hard-stop-after         15m
        chroot                          /tmp/haproxy_chroot
        daemon
        tune.ssl.default-dh-param       2048
        server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
        bind 127.0.0.1:22221 name localstats
        mode http
        stats enable
        stats admin if TRUE
        stats show-legends
        stats uri /haproxy/haproxy_stats.php?haproxystats=1
        timeout client 5000
        timeout connect 5000
        timeout server 5000

frontend shared_frontend-merged
        bind                    2001:fdd0:1:4f::6:80 name 2001:fdd0:1:4f::6:80   ssl crt-list /var/etc/haproxy/shared_frontend.crt_list
        bind                    2001:fdd0:1:4f::6:443 name 2001:fdd0:1:4f::6:443   ssl crt-list /var/etc/haproxy/shared_frontend.crt_list
        bind                    1.23.45.6:80 name 1.23.45.6:80   ssl crt-list /var/etc/haproxy/shared_frontend.crt_list
        bind                    1.23.45.6:443 name 1.23.45.6:443   ssl crt-list /var/etc/haproxy/shared_frontend.crt_list
        mode                    http
        log                     global
        option                  http-keep-alive
        option                  forwardfor
        acl https ssl_fc
        http-request set-header         X-Forwarded-Proto http if !https
        http-request set-header         X-Forwarded-Proto https if https
        timeout client          30000
        acl                     aclcrt_shared_frontend  var(txn.txnhost) -m reg -i ^media\.domain1.net\.net(:([0-9]){1,5})?$
        acl                     acl1_domain4   var(txn.txnhost) -m str -i map.domain4.de
        acl                     aclcrt_map.domain4.de  var(txn.txnhost) -m reg -i ^map\.domain4\.de(:([0-9]){1,5})?$
        acl                     acl1    var(txn.txnhost) -m str -i media.domain1.net
        acl                     aclcrt_media.domain1.net   var(txn.txnhost) -m reg -i ^media\.domain1.net\.net(:([0-9]){1,5})?$
        acl                     acl1    var(txn.txnhost) -m str -i domain5.de
        acl                     aclcrt_domain5.de var(txn.txnhost) -m reg -i ^domain5\.de(:([0-9]){1,5})?$
        acl                     acl1    var(txn.txnhost) -m str -i ah.domain5.de
        acl                     aclcrt_ah.domain5.de      var(txn.txnhost) -m reg -i ^ah\.domain5\.de(:([0-9]){1,5})?$
        acl                     acl1    var(txn.txnhost) -m str -i db.unix.domain2.net
        acl                     aclcrt_db.unix.domain2.net        var(txn.txnhost) -m reg -i ^db\.unix\.domain2\.net(:([0-9]){1,5})?$
        acl                     acl1    var(txn.txnhost) -m str -i git.unix.domain2.net
        acl                     aclcrt_git.unix.domain2.net       var(txn.txnhost) -m reg -i ^git\.unix\.domain2\.net(:([0-9]){1,5})?$
        acl                     acl1    var(txn.txnhost) -m str -i gestioip.domain1.net
        acl                     aclcrt_gestioip.domain1.net        var(txn.txnhost) -m reg -i ^gestioip\.domain1.net\.net(:([0-9]){1,5})?$
        acl                     acl1    var(txn.txnhost) -m str -i domain3.de
        acl                     acl2    var(txn.txnhost) -m str -i www.domain3.de
        acl                     aclcrt_kabeljochen.de   var(txn.txnhost) -m reg -i ^domain3\.de(:([0-9]){1,5})?$
        acl                     aclcrt_kabeljochen.de   var(txn.txnhost) -m reg -i ^www\.domain3\.de(:([0-9]){1,5})?$
        acl                     acl1    var(txn.txnhost) -m str -i gosix.domain1.net
        acl                     aclcrt_gosix.domain1.net   var(txn.txnhost) -m reg -i ^gosix\.domain1.net\.net(:([0-9]){1,5})?$
        acl                     acl1    var(txn.txnhost) -m str -i ideas.domain1.net
        acl                     aclcrt_ideas.domain1.net   var(txn.txnhost) -m reg -i ^ideas\.domain1.net\.net(:([0-9]){1,5})?$
        acl                     acl1    var(txn.txnhost) -m str -i wiki.domain1.net
        acl                     aclcrt_wiki.domain1.net    var(txn.txnhost) -m reg -i ^wiki\.domain1.net\.net(:([0-9]){1,5})?$
        acl                     acl1    var(txn.txnhost) -m str -i riot.domain1.net
        acl                     aclcrt_riot.domain1.net    var(txn.txnhost) -m reg -i ^riot\.domain1.net\.net(:([0-9]){1,5})?$
        acl                     acl1    var(txn.txnhost) -m str -i db.domain1.net
        acl                     aclcrt_db.domain1.net      var(txn.txnhost) -m reg -i ^db\.domain1.net\.net(:([0-9]){1,5})?$
        acl                     acl1    var(txn.txnhost) -m str -i ip.domain1.net
        acl                     aclcrt_ip.domain1.net      var(txn.txnhost) -m reg -i ^images\.domain1.net\.net(:([0-9]){1,5})?$
        http-request set-var(txn.txnhost) hdr(host)
        use_backend srv108_map_domain4_ipvANY  if   aclcrt_map.domain4.de
        use_backend emby.unix.domain2.net_ipvANY  if   aclcrt_media.domain1.net
        use_backend domain5.de_ipvANY  if   aclcrt_domain5.de
        use_backend srv123.unix.domain2.net-ah.domain5.de_ipvANY  if   aclcrt_ah.domain5.de
        use_backend db.unix.domain2.net_ipvANY  if   aclcrt_db.unix.domain2.net
        use_backend git.unix.domain2.net_ipvANY  if   aclcrt_git.unix.domain2.net
        use_backend gestioip_srv119_ipvANY  if   aclcrt_gestioip.domain1.net
        use_backend kabeljochen_srv119_ipvANY  if   aclcrt_kabeljochen.de
        use_backend gosix.domain1.net_srv119_ipvANY  if   aclcrt_gosix.domain1.net
        use_backend ideas.domain1.net_srv119_ipvANY  if   aclcrt_ideas.domain1.net
        use_backend wiki.domain1.net_srv119_ipvANY  if   aclcrt_wiki.domain1.net
        use_backend riot.domain1.net_srv119_ipvANY  if   aclcrt_riot.domain1.net
        use_backend db.unix.domain2.net_ipvANY  if   aclcrt_db.domain1.net
        use_backend ip.domain1.net_srv119_ipvANY  if   aclcrt_ip.domain1.net

frontend http_to_https
        bind                    1.23.45.6:80 name 1.23.45.6:80
        bind                    2001:fdd0:1:4f::6:80 name 2001:fdd0:1:4f::6:80
        mode                    http
        log                     global
        option                  http-keep-alive
        timeout client          30000
        http-request redirect scheme https

backend srv108_map_domain4_ipvANY
        mode                    http
        id                      102
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        server                  srv108.domain2.net 2001:fdd0:3f:1::6:8123 id 103 check inter 10000

backend emby.unix.domain2.net_ipvANY
        mode                    http
        id                      100
        log                     global
        balance                 leastconn
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk OPTIONS /
        server                  emby.unix.domain2.net_0 10.10.101.59:8096 check inter 10000
        server                  emby.unix.domain2.net_1 2009:4444:28d4:1b:d313:1726:1a3b:b596:8096 check inter 10000

backend domain5.de_ipvANY
        mode                    http
        id                      104
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        server                  srv118.domain2.net 2001:fdd0:3f:6::6:8008 id 105 check inter 10000

backend srv123.unix.domain2.net-ah.domain5.de_ipvANY
        mode                    http
        id                      106
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        server                  srv123.unix.domain2.net 2001:fdd0:3f:7::5:8080 id 105 check inter 10000
        
backend db.unix.domain2.net_ipvANY
        mode                    http
        id                      107
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        server                  mariadb.domain2.net 2001:fdd0:3f:5::4:80 id 105 check inter 10000

backend git.unix.domain2.net_ipvANY
        mode                    http
        id                      108
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        server                  srv104.domain2.net_gogs_0 5.145.135.92:3000 check inter 10000
        server                  srv104.domain2.net_gogs_1 2001:fdd0:3f::4:3000 check inter 10000

backend gestioip_srv119_ipvANY
        mode                    http
        id                      109
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        server                  srv119_gestioip 2001:fdd0:3f::7:80 id 105 check inter 10000

backend kabeljochen_srv119_ipvANY
        mode                    http
        id                      110
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk OPTIONS /
        server                  srv119_kabeljochen 2001:fdd0:3f::8:80 id 105 check inter 10000

backend gosix.domain1.net_srv119_ipvANY
        mode                    http
        id                      111
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk OPTIONS /
        server                  srv119_gosix.domain1.net 2001:fdd0:3f::9:80 id 105 check inter 10000
        
backend ideas.domain1.net_srv119_ipvANY
        mode                    http
        id                      112
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk OPTIONS /
        server                  srv119_ideas.domain1.net 2001:fdd0:3f::a:80 id 105 check inter 10000

backend wiki.domain1.net_srv119_ipvANY
        mode                    http
        id                      115
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        server                  srv119_wiki.domain1.net 2001:fdd0:3f::e:80 id 105 check inter 10000

backend riot.domain1.net_srv119_ipvANY
        mode                    http
        id                      116
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk OPTIONS /
        server                  srv119_riot.domain1.net 2001:fdd0:3f::f:80 id 105 check inter 10000

backend ip.domain1.net_srv119_ipvANY
        mode                    http
        id                      114
        log                     global
        timeout connect         30000
        timeout server          30000
        retries                 3
        option                  httpchk OPTIONS /
        server                  srv119_ip.domain1.net 2001:fdd0:3f::d:80 id 105 check inter 10000
    0
    P
     1 Reply
  • P

    @pmisch
    Can you check the CN of the certificate chosen in that frontend?

    0 1 Reply

  • @PiBa
    Thank you for your reply. That lead me to another interesting thing.
    In pfSense's WebGUI the right certificate is chosen. I have a look into /var/etc/haproxy/shared_frontend and did:

    openssl x509 -in ip.domain1.net -text -noout

    And baam, the common name is 'images'. The letsencrypt certificate though had a wrong CN configured so that's what this is.

    0
Log in to reply
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2019 Rubicon Communications, LLC | Privacy Policy