HAProxy not working for root domain, but for subdomains only

Kenneth_H

Hi
I have used HAProxy for some time to host some services locally and SSL offloading in HAProxy.
I have a wildcard cert from LetsEncrypt to take care of this.
Recently, I wanted to host my website as well and added another backend and frontend acl rule for the website with and without www
The website works on http and https from www, but only from http on the root domain. As soon as I want to request the website on the root domain using https, it shows 503 error page from HAProxy

Here is my generated HAProxy config

# Automaticaly generated, dont edit manually.
# Generated on: 2020-08-20 08:34
global
	maxconn			1000
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	uid			80
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	4096
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend SharedOffload
	bind			1.1.1.1:443 name 1.1.1.1:443   ssl crt-list /var/etc/haproxy/SharedOffload.crt_list  
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	acl			website	var(txn.txnhost) -m str -i khansen-it.dk
	acl			exchangeEWS	var(txn.txnhost) -m str -i exchange.khansen-it.dk
	acl			exchangeAutodiscover	var(txn.txnhost) -m str -i autodiscover.khansen-it.dk
	acl			unifi	var(txn.txnhost) -m str -i unifi.khansen-it.dk
	acl			aptMirror	var(txn.txnhost) -m str -i deb.khansen-it.dk
	acl			proxmox	var(txn.txnhost) -m str -i vm-srv01.khansen-it.dk
	acl			aptMirror	var(txn.txnhost) -m str -i mirrors.khansen-it.dk
	acl			mailborder	var(txn.txnhost) -m str -i mailborder01.khansen-it.dk
	acl			zabbix	var(txn.txnhost) -m str -i zabbix.khansen-it.dk
	acl			behemoth	var(txn.txnhost) -m str -i behemoth.khansen-it.dk
	acl			zentyal	var(txn.txnhost) -m str -i mail.khansen-it.dk
	acl			www-website	var(txn.txnhost) -m str -i www.khansen-it.dk
	acl			aclcrt_SharedOffload	var(txn.txnhost) -m reg -i ^([^\.]*)\.khansen-it\.dk(:([0-9]){1,5})?$
	http-request set-var(txn.txnhost) hdr(host)
	use_backend app01_ipvANY  if  website aclcrt_SharedOffload
	use_backend exchange_ipvANY  if  exchangeEWS aclcrt_SharedOffload
	use_backend zentyal_ipvANY  if  exchangeAutodiscover aclcrt_SharedOffload
	use_backend unifi_ipvANY  if  unifi aclcrt_SharedOffload
	use_backend apt-mirror-tls_ipvANY  if  aptMirror aclcrt_SharedOffload
	use_backend proxmox_ipvANY  if  proxmox aclcrt_SharedOffload
	use_backend mailborder_ipvANY  if  mailborder aclcrt_SharedOffload
	use_backend zabbix_ipvANY  if  zabbix aclcrt_SharedOffload
	use_backend behemoth-pve_ipvANY  if  behemoth aclcrt_SharedOffload
	use_backend zentyal_ipvANY  if  zentyal aclcrt_SharedOffload
	use_backend app01_ipvANY  if  www-website aclcrt_SharedOffload

frontend SharedHTTP
	bind			1.1.1.1:80 name 1.1.1.1:80   
	mode			http
	log			global
	option			http-keep-alive
	timeout client		30000
	acl			website	var(txn.txnhost) -m str -i khansen-it.dk
	acl			exchangeEWS	var(txn.txnhost) -m str -i exchange.khansen-it.dk
	acl			exchangeAutodiscover	var(txn.txnhost) -m str -i autodiscover.khansen-it.dk
	acl			proxmox	var(txn.txnhost) -m str -i vm-srv01.khansen-it.dk
	acl			aptMirror	var(txn.txnhost) -m str -i deb.khansen-it.dk
	acl			aptMirror	var(txn.txnhost) -m str -i mirrors.khansen-it.dk
	acl			sql1	var(txn.txnhost) -m str -i sql1.khansen-it.dk
	acl			zentyal	var(txn.txnhost) -m str -i mail.khansen-it.dk
	acl			mailguardian-acme	var(txn.txnhost) -m str -i mailguardian.khansen-it.dk
	acl			www-website	var(txn.txnhost) -m str -i www.khansen-it.dk
	http-request set-var(txn.txnhost) hdr(host)
	use_backend app01_ipvANY  if  website 
	use_backend exchange-acme_ipvANY  if  exchangeEWS 
	use_backend zentyal_ipvANY  if  exchangeAutodiscover 
	use_backend proxmox-acme_ipvANY  if  proxmox 
	use_backend apt-mirror_ipvANY  if  aptMirror 
	use_backend sql1-acme_ipvANY  if  sql1 
	use_backend zentyal_ipvANY  if  zentyal 
	use_backend mailguardian-acme_ipvANY  if  mailguardian-acme 
	use_backend app01_ipvANY  if  www-website 

backend app01_ipvANY
	mode			http
	id			125
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			app01 172.16.240.128:80 id 126  

backend exchange_ipvANY
	mode			http
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			exchange 172.16.240.4:443 id 101 ssl  verify none crt /var/etc/haproxy/server_clientcert_5e8f8a187170e.pem 

backend zentyal_ipvANY
	mode			http
	id			120
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			zentyal 172.16.240.121:443 id 121 ssl  verify none 

backend unifi_ipvANY
	mode			http
	id			102
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			unifi 172.16.240.10:8443 id 103 ssl  verify none crt /var/etc/haproxy/server_clientcert_5e8f8a187170e.pem 

backend apt-mirror-tls_ipvANY
	mode			http
	id			124
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			behemoth 172.16.240.252:443 id 105 ssl  verify none crt /var/etc/haproxy/server_clientcert_5e8f8a187170e.pem 

backend proxmox_ipvANY
	mode			http
	id			106
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			proxmox 172.16.240.254:8006 id 107 ssl  verify none crt /var/etc/haproxy/server_clientcert_5e8f8a187170e.pem 

backend mailborder_ipvANY
	mode			http
	id			112
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			mailborder01 172.16.240.117:80 id 113  

backend zabbix_ipvANY
	mode			http
	id			114
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			zabbix 172.16.240.9:80 id 115  

backend behemoth-pve_ipvANY
	mode			http
	id			116
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			proxmox 172.16.240.252:8006 id 107 ssl  verify none crt /var/etc/haproxy/server_clientcert_5e8f8a187170e.pem 

backend exchange-acme_ipvANY
	mode			http
	id			110
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			exchange-acme 172.16.240.4:80 id 111  

backend proxmox-acme_ipvANY
	mode			http
	id			108
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			proxmox-acme 172.16.240.254:80 id 109  

backend apt-mirror_ipvANY
	mode			http
	id			104
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			behemoth 172.16.240.252:8080 id 105  

backend sql1-acme_ipvANY
	mode			http
	id			117
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			sql1-acme 172.16.240.107:80 id 109  

backend mailguardian-acme_ipvANY
	mode			http
	id			122
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			mailguardian 172.16.240.105:80 id 123

Can anyone see from the config, what is wrong?
Please note that I have replaced my public IP with 1.1.1.1

PiBa

@Kenneth_H
The "aclcrt_SharedOffload" seems to require a subdomain specified..
Have you checked both boxes for the automatic SNI / and SNI-Alternative-name checks.? Or perhaps just remove both those check-boxes that l probably work..

planetinse

I got the same issue, how did you resolve this?

PiBa

@planetinse
Don't ask, read..
If the certificate is valid for the root domain, then its probably due to the acl's that get added, either check both boxes for checking subject/san, or uncheck them that should allow traffic to pass to the (default) backend. That is assuming you have indeed the same issue, if not, start a different topic please.