How do I wildcard forward a subdomain to HAProxy?

ajperson1927

I have a domain that I use to access some internal and external services. For external services, I use Cloudflare for DNS. For my internal services, I use host overrides in the DNS resolver, and forward it to HAProxy. This does work, but it does get tedious since I have to add everything to both HAProxy and the DNS resolver, and I have a lot of internal services.

What I want to do is have a subdomain that gets forwarded to HAProxy for all internal services. So *.internal.example.com gets forwarded to HAProxy, everything else doesn't. I've tried adding internal.example.com to the DNS resolver, pointing to my HAProxy. This doesn't seem to work. Dig gives:

; <<>> DiG 9.20.8 <<>> sampleservice.internal.example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 55656
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
;; QUESTION SECTION:
;sampleservice.internal.example.com.   IN      A

;; Query time: 2656 msec
;; SERVER: 192.168.0.1#53(192.168.0.1) (UDP)
;; WHEN: Sat May 31 16:55:27 MDT 2025
;; MSG SIZE  rcvd: 56

HAProxy's IP is 192.168.0.121, so it seems it isn't making it there.

Looking online, I found an unbound config that should do the trick if I add it to the custom options box:

server:
    local-zone: "internal.example.com" redirect
    local-data: "internal.example.com 86400 IN A 192.168.0.121"

Now dig does return HAProxy's IP, but HAProxy doesn't know how to route it. I have HAProxy set up to route based on host acls. It reads the host header to decide where to send the traffic. However, it looks like the host header is completely blank. Looking around a bit, it seems like the usage of redirect causes the host header to not be set, but transparent should solve that. But transparent doesn't seem to support wildcards.

Does anyone know how to accomplish what I'm trying to do? I just want *.internal.example.com to be routed to HAProxy, and include the host header so HAProxy routes correctly. How do I do this?

viragomann

@ajperson1927
The host header has nothing to do with a DNS override.

The host header is implemented in the http request by the browser. The request is sent to the IP accordingly to the DNS resolution.
And HAproxy doesn't change the host heasder in any way or or remove it, as long as you don't tell it to do that.

@ajperson1927 said in How do I wildcard forward a subdomain to HAProxy?:

Looking online, I found an unbound config that should do the trick if I add it to the custom options box:

server:
local-zone: "internal.example.com" redirect
local-data: "internal.example.com 86400 IN A 192.168.0.121"

Does your HAproxy use this domain in the backend to access the server by any chance?
If so you should rather use the IP there instead.

ajperson1927

@viragomann

@viragomann said in How do I wildcard forward a subdomain to HAProxy?:

The host header is implemented in the http request by the browser. The request is sent to the IP accordingly to the DNS resolution.

Right. However:
Host override: browser attaches host header
Config with transparent override for an exact address: browser attaches host header
Config with redirect override: browser does not attach host header
So while it does not modify headers, it seems that the way it's doing the redirect somehow causes the browser to not include the host header when certain options are set

@viragomann said in How do I wildcard forward a subdomain to HAProxy?:

And HAproxy doesn't change the host heasder in any way or or remove it, as long as you don't tell it to do that.

I know. The acl is set to read the host header, not write or remove. "Host matches: exampleservice.internal.example.com". I also have it logging out the host header, which is how I know it's completely blank

@viragomann said in How do I wildcard forward a subdomain to HAProxy?:

Does your HAproxy use this domain in the backend to access the server by any chance?
If so you should rather use the IP there instead.

HAProxy is listening on a virtual ip, where I'm attempting to send the traffic to, then it routes from there. It doesn't listen on a domain for itself

viragomann

@ajperson1927 said in How do I wildcard forward a subdomain to HAProxy?:

Config with redirect override: browser does not attach host header

I just tested this on my pfSense, created a DNS redirect entry in the Resolver, pointed it to the internal IP of my webserver.
I started the debug mode in the browser to show the request headers and entered a subdomain into the address line. The browser sends its request to my webserver and I can see fictive host name in the host header as expected.
So I'm wondering, why your browser behaves different.

Did you already try a different browser or at least clear its cache?

ajperson1927

@viragomann
I didn't even think of checking the browser's debug mode. It does look like the host header is being attached actually. But for some reason HAProxy isn't picking up on it. I do have HAProxy redirecting HTTPS to HTTPS, and it seems like that might be where the problem is. I disable that and just use HTTP, and it works. I do want to stick to HTTPS though. This does work for host overrides, but not DNS redirects. I have HAProxy listening on 80, with the action "http-request redirect scheme https code 301 !{ssl_fc}". Then I have an HTTPS frontend listening on 443. I also have a certificate for the wildcard subdomain. This has always worked in the past with host overrides. But now it won't with domain redirects, and I'm not sure why