haproxy configuration generation hiccup
-
Hi,
I've been tinkering with haproxy and I like it very much. My system is virtualized (KVM) with two instances and CARP and pfSense 2.4.4-RELEASE-p3. Haproxy version is 0.59_19.
Please have a look at my attached config. There's this domain ip.domain1.net which should use regex ^ip.domain1.net(:([0-9]){1,5})?$ but instead is uses ^images.domain1.net(:([0-9]){1,5})?$
I don't know how exactly this is possible. Even if I remove the images.domain1.net backend completely, the regex still says ^images even there is no occurence of images in the WebGUI.
This might be a bug, right? Is this maybe due to my ha sync?global maxconn 10000 stats socket /tmp/haproxy.socket level admin uid 80 gid 80 nbproc 1 hard-stop-after 15m chroot /tmp/haproxy_chroot daemon tune.ssl.default-dh-param 2048 server-state-file /tmp/haproxy_server_state listen HAProxyLocalStats bind 127.0.0.1:22221 name localstats mode http stats enable stats admin if TRUE stats show-legends stats uri /haproxy/haproxy_stats.php?haproxystats=1 timeout client 5000 timeout connect 5000 timeout server 5000 frontend shared_frontend-merged bind 2001:fdd0:1:4f::6:80 name 2001:fdd0:1:4f::6:80 ssl crt-list /var/etc/haproxy/shared_frontend.crt_list bind 2001:fdd0:1:4f::6:443 name 2001:fdd0:1:4f::6:443 ssl crt-list /var/etc/haproxy/shared_frontend.crt_list bind 1.23.45.6:80 name 1.23.45.6:80 ssl crt-list /var/etc/haproxy/shared_frontend.crt_list bind 1.23.45.6:443 name 1.23.45.6:443 ssl crt-list /var/etc/haproxy/shared_frontend.crt_list mode http log global option http-keep-alive option forwardfor acl https ssl_fc http-request set-header X-Forwarded-Proto http if !https http-request set-header X-Forwarded-Proto https if https timeout client 30000 acl aclcrt_shared_frontend var(txn.txnhost) -m reg -i ^media\.domain1.net\.net(:([0-9]){1,5})?$ acl acl1_domain4 var(txn.txnhost) -m str -i map.domain4.de acl aclcrt_map.domain4.de var(txn.txnhost) -m reg -i ^map\.domain4\.de(:([0-9]){1,5})?$ acl acl1 var(txn.txnhost) -m str -i media.domain1.net acl aclcrt_media.domain1.net var(txn.txnhost) -m reg -i ^media\.domain1.net\.net(:([0-9]){1,5})?$ acl acl1 var(txn.txnhost) -m str -i domain5.de acl aclcrt_domain5.de var(txn.txnhost) -m reg -i ^domain5\.de(:([0-9]){1,5})?$ acl acl1 var(txn.txnhost) -m str -i ah.domain5.de acl aclcrt_ah.domain5.de var(txn.txnhost) -m reg -i ^ah\.domain5\.de(:([0-9]){1,5})?$ acl acl1 var(txn.txnhost) -m str -i db.unix.domain2.net acl aclcrt_db.unix.domain2.net var(txn.txnhost) -m reg -i ^db\.unix\.domain2\.net(:([0-9]){1,5})?$ acl acl1 var(txn.txnhost) -m str -i git.unix.domain2.net acl aclcrt_git.unix.domain2.net var(txn.txnhost) -m reg -i ^git\.unix\.domain2\.net(:([0-9]){1,5})?$ acl acl1 var(txn.txnhost) -m str -i gestioip.domain1.net acl aclcrt_gestioip.domain1.net var(txn.txnhost) -m reg -i ^gestioip\.domain1.net\.net(:([0-9]){1,5})?$ acl acl1 var(txn.txnhost) -m str -i domain3.de acl acl2 var(txn.txnhost) -m str -i www.domain3.de acl aclcrt_kabeljochen.de var(txn.txnhost) -m reg -i ^domain3\.de(:([0-9]){1,5})?$ acl aclcrt_kabeljochen.de var(txn.txnhost) -m reg -i ^www\.domain3\.de(:([0-9]){1,5})?$ acl acl1 var(txn.txnhost) -m str -i gosix.domain1.net acl aclcrt_gosix.domain1.net var(txn.txnhost) -m reg -i ^gosix\.domain1.net\.net(:([0-9]){1,5})?$ acl acl1 var(txn.txnhost) -m str -i ideas.domain1.net acl aclcrt_ideas.domain1.net var(txn.txnhost) -m reg -i ^ideas\.domain1.net\.net(:([0-9]){1,5})?$ acl acl1 var(txn.txnhost) -m str -i wiki.domain1.net acl aclcrt_wiki.domain1.net var(txn.txnhost) -m reg -i ^wiki\.domain1.net\.net(:([0-9]){1,5})?$ acl acl1 var(txn.txnhost) -m str -i riot.domain1.net acl aclcrt_riot.domain1.net var(txn.txnhost) -m reg -i ^riot\.domain1.net\.net(:([0-9]){1,5})?$ acl acl1 var(txn.txnhost) -m str -i db.domain1.net acl aclcrt_db.domain1.net var(txn.txnhost) -m reg -i ^db\.domain1.net\.net(:([0-9]){1,5})?$ acl acl1 var(txn.txnhost) -m str -i ip.domain1.net acl aclcrt_ip.domain1.net var(txn.txnhost) -m reg -i ^images\.domain1.net\.net(:([0-9]){1,5})?$ http-request set-var(txn.txnhost) hdr(host) use_backend srv108_map_domain4_ipvANY if aclcrt_map.domain4.de use_backend emby.unix.domain2.net_ipvANY if aclcrt_media.domain1.net use_backend domain5.de_ipvANY if aclcrt_domain5.de use_backend srv123.unix.domain2.net-ah.domain5.de_ipvANY if aclcrt_ah.domain5.de use_backend db.unix.domain2.net_ipvANY if aclcrt_db.unix.domain2.net use_backend git.unix.domain2.net_ipvANY if aclcrt_git.unix.domain2.net use_backend gestioip_srv119_ipvANY if aclcrt_gestioip.domain1.net use_backend kabeljochen_srv119_ipvANY if aclcrt_kabeljochen.de use_backend gosix.domain1.net_srv119_ipvANY if aclcrt_gosix.domain1.net use_backend ideas.domain1.net_srv119_ipvANY if aclcrt_ideas.domain1.net use_backend wiki.domain1.net_srv119_ipvANY if aclcrt_wiki.domain1.net use_backend riot.domain1.net_srv119_ipvANY if aclcrt_riot.domain1.net use_backend db.unix.domain2.net_ipvANY if aclcrt_db.domain1.net use_backend ip.domain1.net_srv119_ipvANY if aclcrt_ip.domain1.net frontend http_to_https bind 1.23.45.6:80 name 1.23.45.6:80 bind 2001:fdd0:1:4f::6:80 name 2001:fdd0:1:4f::6:80 mode http log global option http-keep-alive timeout client 30000 http-request redirect scheme https backend srv108_map_domain4_ipvANY mode http id 102 log global timeout connect 30000 timeout server 30000 retries 3 server srv108.domain2.net 2001:fdd0:3f:1::6:8123 id 103 check inter 10000 backend emby.unix.domain2.net_ipvANY mode http id 100 log global balance leastconn timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server emby.unix.domain2.net_0 10.10.101.59:8096 check inter 10000 server emby.unix.domain2.net_1 2009:4444:28d4:1b:d313:1726:1a3b:b596:8096 check inter 10000 backend domain5.de_ipvANY mode http id 104 log global timeout connect 30000 timeout server 30000 retries 3 server srv118.domain2.net 2001:fdd0:3f:6::6:8008 id 105 check inter 10000 backend srv123.unix.domain2.net-ah.domain5.de_ipvANY mode http id 106 log global timeout connect 30000 timeout server 30000 retries 3 server srv123.unix.domain2.net 2001:fdd0:3f:7::5:8080 id 105 check inter 10000 backend db.unix.domain2.net_ipvANY mode http id 107 log global timeout connect 30000 timeout server 30000 retries 3 server mariadb.domain2.net 2001:fdd0:3f:5::4:80 id 105 check inter 10000 backend git.unix.domain2.net_ipvANY mode http id 108 log global timeout connect 30000 timeout server 30000 retries 3 server srv104.domain2.net_gogs_0 5.145.135.92:3000 check inter 10000 server srv104.domain2.net_gogs_1 2001:fdd0:3f::4:3000 check inter 10000 backend gestioip_srv119_ipvANY mode http id 109 log global timeout connect 30000 timeout server 30000 retries 3 server srv119_gestioip 2001:fdd0:3f::7:80 id 105 check inter 10000 backend kabeljochen_srv119_ipvANY mode http id 110 log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server srv119_kabeljochen 2001:fdd0:3f::8:80 id 105 check inter 10000 backend gosix.domain1.net_srv119_ipvANY mode http id 111 log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server srv119_gosix.domain1.net 2001:fdd0:3f::9:80 id 105 check inter 10000 backend ideas.domain1.net_srv119_ipvANY mode http id 112 log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server srv119_ideas.domain1.net 2001:fdd0:3f::a:80 id 105 check inter 10000 backend wiki.domain1.net_srv119_ipvANY mode http id 115 log global timeout connect 30000 timeout server 30000 retries 3 server srv119_wiki.domain1.net 2001:fdd0:3f::e:80 id 105 check inter 10000 backend riot.domain1.net_srv119_ipvANY mode http id 116 log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server srv119_riot.domain1.net 2001:fdd0:3f::f:80 id 105 check inter 10000 backend ip.domain1.net_srv119_ipvANY mode http id 114 log global timeout connect 30000 timeout server 30000 retries 3 option httpchk OPTIONS / server srv119_ip.domain1.net 2001:fdd0:3f::d:80 id 105 check inter 10000 -
@pmisch
Can you check the CN of the certificate chosen in that frontend? -
@PiBa
Thank you for your reply. That lead me to another interesting thing.
In pfSense's WebGUI the right certificate is chosen. I have a look into /var/etc/haproxy/shared_frontend and did:openssl x509 -in ip.domain1.net -text -nooutAnd baam, the common name is 'images'. The letsencrypt certificate though had a wrong CN configured so that's what this is.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.