HAProxy use_backend multiple ACLs

ludejim

I have two backends that need web sockets. Only one works at a time. The following configuration is what I would expect to work, but it doesn’t. Only the item appearing first in the list (ACL20) will have the web socket work. Any ideas?

acl			aclcrt_sharedFrontEndHTTPS	var(txn.txnhost) -m reg -i ^([^\.]*)\.xyz\.com(:([0-9]){1,5})?$
	acl			aclcrt_sharedFrontEndHTTPS	var(txn.txnhost) -m reg -i ^([^\.]*)\.abc\.com(:([0-9]){1,5})?$
	acl			aclcrt_sharedFrontEndHTTPS	var(txn.txnhost) -m reg -i ^xyz\.com(:([0-9]){1,5})?$
	acl			aclcrt_sharedFrontEndHTTPS	var(txn.txnhost) -m reg -i ^abc\.com(:([0-9]){1,5})?$
	acl			ACL3	var(txn.txnhost) -m str -i abc.com
	acl			ACL3	var(txn.txnhost) -m beg -i www.abc.com
	acl			ACL9	var(txn.txnhost) -m str -i xyz.com
	acl			ACL9	var(txn.txnhost) -m str -i www.xyz.com
	acl			ACL67	var(txn.txnhost) -m sub -i overseerr.xyz.com
	acl			ACL20	var(txn.txnhost) -m sub -i homeassistant
	acl			ACL20	hdr(Upgrade) -i websocket
	acl			ACL20	hdr(Connection) -i upgrade
	acl			ACL444	var(txn.txnhost) -m sub -i audiobookshelf
	acl			ACL444	hdr(Upgrade) -i websocket
	acl			ACL444	hdr(Connection)  -i upgrade
	http-request set-var(txn.txnhost) hdr(host)
	use_backend abc_ipv4  if  ACL3 
	use_backend xyz_ipv4  if  ACL9 
	use_backend Overseerrxyz_ipvANY  if  ACL67 
	use_backend HomeAssistantxyz_ipvANY  if  ACL20 
	use_backend AudioBookShelfxyz_ipvANY  if  ACL444 
	default_backend abc_ipv4
	default_backend xyz_ipv4
	default_backend Overseerrxyz_ipvANY
	default_backend HomeAssistantxyz_ipvANY
	default_backend AudioBookShelfxyz_ipvANY

gerdesj

@ludejim

acl's with the same name will be 'combined' using OR criteria.

So ACL20 has three conditions, any one of which will trigger it. Two of those conditions indicate sockets so ACL20 will always hit first, instead of 444.

NOTE Important change in behaviour, since package version 0.32
-acl's are no longer combined with logical AND operators, list multiple acl's below where needed.

ludejim

@gerdesj

So something like this:

        acl			aclcrt_sharedFrontEndHTTPS	var(txn.txnhost) -m reg -i ^([^\.]*)\.xyz\.com(:([0-9]){1,5})?$
	acl			aclcrt_sharedFrontEndHTTPS	var(txn.txnhost) -m reg -i ^([^\.]*)\.abc\.com(:([0-9]){1,5})?$
	acl			aclcrt_sharedFrontEndHTTPS	var(txn.txnhost) -m reg -i ^xyz\.com(:([0-9]){1,5})?$
	acl			aclcrt_sharedFrontEndHTTPS	var(txn.txnhost) -m reg -i ^abc\.com(:([0-9]){1,5})?$
	acl			ACL3	var(txn.txnhost) -m str -i abc.com
	acl			ACL3	var(txn.txnhost) -m beg -i www.abc.com
	acl			ACL9	var(txn.txnhost) -m str -i xyz.com
	acl			ACL9	var(txn.txnhost) -m str -i www.xyz.com
	acl			ACL67	var(txn.txnhost) -m sub -i overseerr.xyz.com
	acl			ACL20	var(txn.txnhost) -m sub -i homeassistant
	acl			ACL21	hdr(Upgrade) -i websocket
	acl			ACL21	hdr(Connection) -i upgrade
	acl			ACL444	var(txn.txnhost) -m sub -i audiobookshelf
	acl			ACL445	hdr(Upgrade) -i websocket
	acl			ACL445	hdr(Connection)  -i upgrade
	http-request set-var(txn.txnhost) hdr(host)
	use_backend abc_ipv4  if  ACL3 
	use_backend xyz_ipv4  if  ACL9 
	use_backend Overseerrxyz_ipvANY  if  ACL67 
	use_backend HomeAssistantxyz_ipvANY  if  ACL20 && ACL21
	use_backend AudioBookShelfxyz_ipvANY  if  ACL444 && ACL445
	default_backend abc_ipv4
	default_backend xyz_ipv4
	default_backend Overseerrxyz_ipvANY
	default_backend HomeAssistantxyz_ipvANY
	default_backend AudioBookShelfxyz_ipvANY

gerdesj

@ludejim

Sorry, I'm in the same boat as you and just solved it. You put multiple ALCs in the Actions table to get AND.

ACL_HA .... -i home assistant
ACL_AB  .... -i audiobookshelf
ACL_WS
ACL_WS_Up

Then in Actions in the Conditional acl names field (note the plural) - the two or more ACLs get ANDed together:

ACL_HA ACL_WS
ACL_AB ACL_WS

Cheers
Jon

ludejim

@gerdesj Thanks for the reply

ACL_HA ACL_WS
ACL_AB ACL_WS

^^^ This doesn't take into account the ACL_WS_Up condition...

I just tried my posted config and PFsense barked about the "&&", so I removed them. The configuration was accepted, but now my home assistant subdomain redirects to my audio bookshelf subdomain...

        acl			aclcrt_sharedFrontEndHTTPS	var(txn.txnhost) -m reg -i ^([^\.]*)\.xyz\.com(:([0-9]){1,5})?$
	acl			aclcrt_sharedFrontEndHTTPS	var(txn.txnhost) -m reg -i ^([^\.]*)\.abc\.com(:([0-9]){1,5})?$
	acl			aclcrt_sharedFrontEndHTTPS	var(txn.txnhost) -m reg -i ^xyz\.com(:([0-9]){1,5})?$
	acl			aclcrt_sharedFrontEndHTTPS	var(txn.txnhost) -m reg -i ^abc\.com(:([0-9]){1,5})?$
	acl			ACL3	var(txn.txnhost) -m str -i abc.com
	acl			ACL3	var(txn.txnhost) -m beg -i www.abc.com
	acl			ACL9	var(txn.txnhost) -m str -i xyz.com
	acl			ACL9	var(txn.txnhost) -m str -i www.xyz.com
	acl			ACL67	var(txn.txnhost) -m sub -i overseerr.xyz.com
	acl			ACL20	var(txn.txnhost) -m sub -i homeassistant
	acl			ACL21	hdr(Upgrade) -i websocket
	acl			ACL21	hdr(Connection) -i upgrade
	acl			ACL444	var(txn.txnhost) -m sub -i audiobookshelf
	http-request set-var(txn.txnhost) hdr(host)
	use_backend abc_ipv4  if  ACL3 
	use_backend xyz_ipv4  if  ACL9 
	use_backend Overseerrxyz_ipvANY  if  ACL67 
	use_backend HomeAssistantxyz_ipvANY  if  ACL20 ACL21
	use_backend AudioBookShelfxyz_ipvANY  if  ACL444 ACL21
	default_backend abc_ipv4
	default_backend xyz_ipv4
	default_backend Overseerrxyz_ipvANY
	default_backend HomeAssistantxyz_ipvANY
	default_backend AudioBookShelfxyz_ipvANY

gerdesj

@ludejim

Try getting rid of the default backends. They can cause lots of confusion!

ludejim

@gerdesj

Removing all the default backends, now I get 503 Service Unavailable No server is available to handle this request on the homeassistant and audiobookshelf subdomains.

Overseer, xyz.com, and abc.com work fine.

My HAProxy stats page shows all of my hosts are up.

gerdesj

@ludejim

Try removing ACL21 from both your use_backend. HA Proxy automatically detects WSS and will switch from http to tunnelling HA Proxy blog article

ludejim

@gerdesj said in HAProxy use_backend multiple ACLs:

S

Haha. That did it. So essentially you don't need any ACLs to help with websockets when using HAProxy. Fantastic. Thanks for the help.