HAProxy not working for root domain, but for subdomains only


  • Hi
    I have used HAProxy for some time to host some services locally and SSL offloading in HAProxy.
    I have a wildcard cert from LetsEncrypt to take care of this.
    Recently, I wanted to host my website as well and added another backend and frontend acl rule for the website with and without www
    The website works on http and https from www, but only from http on the root domain. As soon as I want to request the website on the root domain using https, it shows 503 error page from HAProxy

    Here is my generated HAProxy config

    # Automaticaly generated, dont edit manually.
    # Generated on: 2020-08-20 08:34
    global
    	maxconn			1000
    	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
    	uid			80
    	gid			80
    	nbproc			1
    	nbthread			1
    	hard-stop-after		15m
    	chroot				/tmp/haproxy_chroot
    	daemon
    	tune.ssl.default-dh-param	4096
    	server-state-file /tmp/haproxy_server_state
    
    listen HAProxyLocalStats
    	bind 127.0.0.1:2200 name localstats
    	mode http
    	stats enable
    	stats admin if TRUE
    	stats show-legends
    	stats uri /haproxy/haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    
    frontend SharedOffload
    	bind			1.1.1.1:443 name 1.1.1.1:443   ssl crt-list /var/etc/haproxy/SharedOffload.crt_list  
    	mode			http
    	log			global
    	option			http-keep-alive
    	option			forwardfor
    	acl https ssl_fc
    	http-request set-header		X-Forwarded-Proto http if !https
    	http-request set-header		X-Forwarded-Proto https if https
    	timeout client		30000
    	acl			website	var(txn.txnhost) -m str -i khansen-it.dk
    	acl			exchangeEWS	var(txn.txnhost) -m str -i exchange.khansen-it.dk
    	acl			exchangeAutodiscover	var(txn.txnhost) -m str -i autodiscover.khansen-it.dk
    	acl			unifi	var(txn.txnhost) -m str -i unifi.khansen-it.dk
    	acl			aptMirror	var(txn.txnhost) -m str -i deb.khansen-it.dk
    	acl			proxmox	var(txn.txnhost) -m str -i vm-srv01.khansen-it.dk
    	acl			aptMirror	var(txn.txnhost) -m str -i mirrors.khansen-it.dk
    	acl			mailborder	var(txn.txnhost) -m str -i mailborder01.khansen-it.dk
    	acl			zabbix	var(txn.txnhost) -m str -i zabbix.khansen-it.dk
    	acl			behemoth	var(txn.txnhost) -m str -i behemoth.khansen-it.dk
    	acl			zentyal	var(txn.txnhost) -m str -i mail.khansen-it.dk
    	acl			www-website	var(txn.txnhost) -m str -i www.khansen-it.dk
    	acl			aclcrt_SharedOffload	var(txn.txnhost) -m reg -i ^([^\.]*)\.khansen-it\.dk(:([0-9]){1,5})?$
    	http-request set-var(txn.txnhost) hdr(host)
    	use_backend app01_ipvANY  if  website aclcrt_SharedOffload
    	use_backend exchange_ipvANY  if  exchangeEWS aclcrt_SharedOffload
    	use_backend zentyal_ipvANY  if  exchangeAutodiscover aclcrt_SharedOffload
    	use_backend unifi_ipvANY  if  unifi aclcrt_SharedOffload
    	use_backend apt-mirror-tls_ipvANY  if  aptMirror aclcrt_SharedOffload
    	use_backend proxmox_ipvANY  if  proxmox aclcrt_SharedOffload
    	use_backend mailborder_ipvANY  if  mailborder aclcrt_SharedOffload
    	use_backend zabbix_ipvANY  if  zabbix aclcrt_SharedOffload
    	use_backend behemoth-pve_ipvANY  if  behemoth aclcrt_SharedOffload
    	use_backend zentyal_ipvANY  if  zentyal aclcrt_SharedOffload
    	use_backend app01_ipvANY  if  www-website aclcrt_SharedOffload
    
    frontend SharedHTTP
    	bind			1.1.1.1:80 name 1.1.1.1:80   
    	mode			http
    	log			global
    	option			http-keep-alive
    	timeout client		30000
    	acl			website	var(txn.txnhost) -m str -i khansen-it.dk
    	acl			exchangeEWS	var(txn.txnhost) -m str -i exchange.khansen-it.dk
    	acl			exchangeAutodiscover	var(txn.txnhost) -m str -i autodiscover.khansen-it.dk
    	acl			proxmox	var(txn.txnhost) -m str -i vm-srv01.khansen-it.dk
    	acl			aptMirror	var(txn.txnhost) -m str -i deb.khansen-it.dk
    	acl			aptMirror	var(txn.txnhost) -m str -i mirrors.khansen-it.dk
    	acl			sql1	var(txn.txnhost) -m str -i sql1.khansen-it.dk
    	acl			zentyal	var(txn.txnhost) -m str -i mail.khansen-it.dk
    	acl			mailguardian-acme	var(txn.txnhost) -m str -i mailguardian.khansen-it.dk
    	acl			www-website	var(txn.txnhost) -m str -i www.khansen-it.dk
    	http-request set-var(txn.txnhost) hdr(host)
    	use_backend app01_ipvANY  if  website 
    	use_backend exchange-acme_ipvANY  if  exchangeEWS 
    	use_backend zentyal_ipvANY  if  exchangeAutodiscover 
    	use_backend proxmox-acme_ipvANY  if  proxmox 
    	use_backend apt-mirror_ipvANY  if  aptMirror 
    	use_backend sql1-acme_ipvANY  if  sql1 
    	use_backend zentyal_ipvANY  if  zentyal 
    	use_backend mailguardian-acme_ipvANY  if  mailguardian-acme 
    	use_backend app01_ipvANY  if  www-website 
    
    backend app01_ipvANY
    	mode			http
    	id			125
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			app01 172.16.240.128:80 id 126  
    
    backend exchange_ipvANY
    	mode			http
    	id			100
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			exchange 172.16.240.4:443 id 101 ssl  verify none crt /var/etc/haproxy/server_clientcert_5e8f8a187170e.pem 
    
    backend zentyal_ipvANY
    	mode			http
    	id			120
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			zentyal 172.16.240.121:443 id 121 ssl  verify none 
    
    backend unifi_ipvANY
    	mode			http
    	id			102
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			unifi 172.16.240.10:8443 id 103 ssl  verify none crt /var/etc/haproxy/server_clientcert_5e8f8a187170e.pem 
    
    backend apt-mirror-tls_ipvANY
    	mode			http
    	id			124
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			behemoth 172.16.240.252:443 id 105 ssl  verify none crt /var/etc/haproxy/server_clientcert_5e8f8a187170e.pem 
    
    backend proxmox_ipvANY
    	mode			http
    	id			106
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			proxmox 172.16.240.254:8006 id 107 ssl  verify none crt /var/etc/haproxy/server_clientcert_5e8f8a187170e.pem 
    
    backend mailborder_ipvANY
    	mode			http
    	id			112
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			mailborder01 172.16.240.117:80 id 113  
    
    backend zabbix_ipvANY
    	mode			http
    	id			114
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			zabbix 172.16.240.9:80 id 115  
    
    backend behemoth-pve_ipvANY
    	mode			http
    	id			116
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			proxmox 172.16.240.252:8006 id 107 ssl  verify none crt /var/etc/haproxy/server_clientcert_5e8f8a187170e.pem 
    
    backend exchange-acme_ipvANY
    	mode			http
    	id			110
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			exchange-acme 172.16.240.4:80 id 111  
    
    backend proxmox-acme_ipvANY
    	mode			http
    	id			108
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			proxmox-acme 172.16.240.254:80 id 109  
    
    backend apt-mirror_ipvANY
    	mode			http
    	id			104
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			behemoth 172.16.240.252:8080 id 105  
    
    backend sql1-acme_ipvANY
    	mode			http
    	id			117
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			sql1-acme 172.16.240.107:80 id 109  
    
    backend mailguardian-acme_ipvANY
    	mode			http
    	id			122
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	server			mailguardian 172.16.240.105:80 id 123
    

    Can anyone see from the config, what is wrong?
    Please note that I have replaced my public IP with 1.1.1.1


  • @Kenneth_H
    The "aclcrt_SharedOffload" seems to require a subdomain specified..
    Have you checked both boxes for the automatic SNI / and SNI-Alternative-name checks.? Or perhaps just remove both those check-boxes that l probably work..