Can't set SNI frontend HAProxy

magickarle · Nov 30, 2024, 3:24 PM

On frontend as type TCP, I need to set an ACL based on expression SNI extension matches.

But when i first try to add a new ACL, the only expression i can choose are
Source IP matches IP or alias
Minimum count usable servers
Traffic is http (no value needed)
Traffic is ssl (no value needed)
Custom ACL.

So i did a test:
Choose in Expression: Traffic is ssl (no value needed)
Save - Apply. No problem. (i can query the host and i get the site)

Edit the frontend:
Edit ACL:
Now the "Server name indication TLS extension matches" is there.
Chose it, Save, apply. Error:

Errors found while starting haproxy
[NOTICE] (87012) : haproxy version is 2.8.3-86e043a
[NOTICE] (87012) : path to executable is /usr/local/sbin/haproxy
[ALERT] (87012) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:31] : error detected while parsing switching rule : no such ACL : 'ubuntuapsportainer'.
[ALERT] (87012) : config : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg
[ALERT] (87012) : config : Fatal errors found in configuration.

logs:
Nov 30 10:18:39 php-fpm 397 haproxy: check error output: [NOTICE] (87012) : haproxy version is 2.8.3-86e043a [NOTICE] (87012) : path to executable is /usr/local/sbin/haproxy [ALERT] (87012) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:31] : error detected while parsing switching rule : no such ACL : 'ubuntuapsportainer'. [ALERT] (87012) : config : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg [ALERT] (87012) : config : Fatal errors found in configuration.
Nov 30 10:19:00 php-fpm 398 /status_services.php: The command '/usr/local/etc/rc.d/haproxy.sh stop' returned exit code '1', the output was 'Stopping haproxy. Waiting for PIDS: 93495. Stopping haproxy. No matching processes were found'
Nov 30 10:19:00 php-cgi 4271 haproxy: starting old pid:93495
Nov 30 10:19:00 php-cgi 4271 haproxy: started new pid:93495
Nov 30 10:19:00 php-cgi 4271 haproxy: startup error output!: [NOTICE] (5616) : haproxy version is 2.8.3-86e043a[NOTICE] (5616) : path to executable is /usr/local/sbin/haproxy[ALERT] (5616) : config : parsing [/var/etc/haproxy/haproxy.cfg:31] : error detected while parsing switching rule : no such ACL : 'ubuntuapsportainer'.[ALERT] (5616) : config : Error(s) found in configuration file : /var/etc/haproxy/haproxy.cfg[ALERT] (5616) : config : Fatal errors found in configuration.
Nov 30 10:19:05 php-fpm 397 haproxy: check error output: [NOTICE] (24782) : haproxy version is 2.8.3-86e043a [NOTICE] (24782) : path to executable is /usr/local/sbin/haproxy [ALERT] (24782) : config : parsing [/var/etc/haproxy_test/haproxy.cfg:31] : error detected while parsing switching rule : no such ACL : 'ubuntuapsportainer'. [ALERT] (24782) : config : Error(s) found in configuration file : /var/etc/haproxy_test/haproxy.cfg [ALERT] (24782) : config : Fatal errors found in configuration.

haproxy 0.63_2

Name pfSense.home
System QEMU Guest
BIOS Vendor: Proxmox distribution of EDK II
Version: 4.2023.08-4
Release Date: Thu Feb 15 2024
Version 2.7.2-RELEASE (amd64)
built on Mon Mar 4 14:53:00 EST 2024
FreeBSD 14.0-CURRENT

The system is on the latest version.
Version information updated at Sat Nov 30 9:02:21 EST 2024
CPU Type Common KVM processor
10 CPUs: 1 package(s) x 10 core(s)
AES-NI CPU Crypto: No
QAT Crypto: No

magickarle · Dec 10, 2024, 9:36 PM

bump

viragomann · Dec 11, 2024, 3:49 PM

@magickarle
If you want HAproxy to check SNI select the type "SSL / https(TCP mode)" in the frontend.

magickarle · Dec 11, 2024, 8:15 PM

@viragomann what if i dont want to offload ssl

viragomann · Dec 11, 2024, 9:21 PM

@magickarle
Then don't check "SSL Offloading" in the listener section.

magickarle · Dec 13, 2024, 1:42 PM

ahh my trouble is with one specefic server. This worked with other ones. Thanks!