Parsing host header through HAProxy to backend

peterweissdk · Feb 13, 2025, 8:09 AM

I'm running a k8s cluster with traefik v3 installed to loadballance my services. I'm using traefik's ingressroute to route e.g. http request to my services, using the hostname as a match for the service.
When i use local dns (inside my lan) to resolve the hostname, i can reach the service in the cluster, so traefik and the service is working just fine.
For the record I'm query http (80) inside my lan, and ssl off-loading everything in HAProxy running as a package in pfsense. When makin a query from outside the lan, i use cloudflare as DNS-provider, and ACME in pfsense to handle my certificates.
When i query the DNS from outside my lan using https, and the query resolves to my router running pfsense, the query hangs, and I can't reach my sevice at the k8s cluster.
If i have a service with a internal ip-address, everything works fine. I can resolve the DNS name, the HAProxy frontend ssl-offloads and filter the domaine names using ACL, and sending the trafic to the corresponding backends, and i have a secure connection from my browser with a valid let's encrypt certificate.
So my theory is, that the domaine name (host header) is not sent through to the backend service, and thats why the Traefik proxy in the k8s cluster, can not match the domaine name.
I have tried to set in: HAProxy - frontend - actions:
http-request header set
Conditon acl names: <backend_service>
name: Host
fmt: <the_domaine_name>
But that did not work....
Any suggestions ?

Regard
/peterweissdk

peterweissdk · Feb 13, 2025, 7:17 PM

I have tried to draw it in a flowchart-kind-of-way :thinking:

This is whats not working, but the solution i want.

This works: If i resolve the DNS localy, and bypass pfsense and HAP, no problem.

…and this works: If the HAP-backend point to a internal IP, it works

So Traefik Filters domaine names from the Host header, and matches them with the services defined in the traefik-ingressroute. If i do that by query the dns localy, i can get the service, so the traefik setup is OK… I think!

Also, I can reach the service, if the service has an local ip assigend from the k8s loadbalancer (in my case metallb) So HAproxy works when routing to an static ip.

It’s when Traefik in k8s gets the domaine name from the HAP-backend it fails…, or in my case hangs.

viragomann · Feb 13, 2025, 9:38 PM

@peterweissdk
HAproxy does not do any changes on the headers as long as you don't instruct it to do that with certain header rules. It neither removes, replaces or adds a host header by default. All headers are passed through to the backend.

So the cause for your issue might another one.

Is Traefik working in transparent mode by any chance?
This will lead into asymmetric routing in your setup.
On pfSense ensure that the logging of the default deny rule is enabled. Then check the firewall log for relating blocks from the backend device.

peterweissdk · Feb 18, 2025, 6:49 AM

@viragomann
Of cause..., this was not a HAProxy problem at all, and the host header is past through pfsense and HAProxy just fine.
The problem was a certificate issue, that i fixed, and I can now reach my backend services with https from outside my network.
Thank you for your time

/peterweissdk

peterweissdk · Feb 18, 2025, 6:53 AM

How do I close this thread, og mark it solved....?

diligent · Feb 19, 2025, 8:40 AM

@peterweissdk said in Parsing host header through HAProxy to backend: drift hunters

I'm running a k8s cluster with traefik v3 installed to loadballance my services. I'm using traefik's ingressroute to route e.g. http request to my services, using the hostname as a match for the service.
When i use local dns (inside my lan) to resolve the hostname, i can reach the service in the cluster, so traefik and the service is working just fine.
For the record I'm query http (80) inside my lan, and ssl off-loading everything in HAProxy running as a package in pfsense. When makin a query from outside the lan, i use cloudflare as DNS-provider, and ACME in pfsense to handle my certificates.
When i query the DNS from outside my lan using https, and the query resolves to my router running pfsense, the query hangs, and I can't reach my sevice at the k8s cluster.
If i have a service with a internal ip-address, everything works fine. I can resolve the DNS name, the HAProxy frontend ssl-offloads and filter the domaine names using ACL, and sending the trafic to the corresponding backends, and i have a secure connection from my browser with a valid let's encrypt certificate.
So my theory is, that the domaine name (host header) is not sent through to the backend service, and thats why the Traefik proxy in the k8s cluster, can not match the domaine name.
I have tried to set in: HAProxy - frontend - actions:
http-request header set
Conditon acl names: <backend_service>
name: Host
fmt: <the_domaine_name>
But that did not work....
Any suggestions ?

Make sure that the HAProxy configuration correctly forwards the Host header to your backend. You mentioned trying to set the Host header using an action, but it's crucial that this configuration is correctly applie.