How to use HA proxy to route HTTP traffic? It does not work as I expected :(
-
Hello,
I would like to use a HA-frontend to select a HA-backend based on the domain, for in comming HTTP traffic, not necessay arriving on port 80
Assume the traffic is like this
port 123
domain1 = sub1.example1.com
domain2 = sub2.example2.comSo I did define a frontend
- listening to port 123 on address1 and address2
- type http / https (offloading)
Access control list
name expression value
domain1 host ends with example1.com
domain2 host ends with sub2.example2.comAction ; parameters ; condition
;1 use backend domain1
backend: backend_domain1
;2 use backend domain2
backend: backend_domain2That should work, I thought, but it does not
the only option which partly(!!) works is ^host contains^The bottum line is that I have no Idea why this does not work or what to do to make it work
So hopefully some one can explain what I am doing wrong here and what to do to make it work.
PS IMHO
'HA-host' = domain + subdomain
'HA-path' = (domain)/path
'HA-URL' = the total address line -
@louis2 said in How to use HA proxy to route HTTP traffic? It does not work as I expected :(:
type http / https (offloading)
This is a special case for ha proxy.
You don't say that you want to do tls offloading.Start there
-
No my intention is certainly not tsl offloading, my intention is only(!) http routing.
The incoming traffic is http not https so routing based on ssl /https is not an option. And type TCP can not filter on http.
So I am lost.
Note that if I add a default backend to the frontend, the traffic is forwarded to that backend. Bypassing the access rule.
However that is of course not the intention.
For info, one of the main reasons to support http is to pass lets encrypt to the backend. As you probably expected my certificates are on the backends.
-
@louis2 I'm lost on what you are trying to achieve, but in any case http/https offloading is not going to cut it.
In ssl offloading all certificates must be on haproxy, and you get clear http connections to the backend.Ha proxy is not a router and cannot do routing too.
port 123 is ntp and is udp.
in any case, acl's need some study and experimentation.
The docs are here
https://cbonte.github.io/haproxy-dconv/2.4/configuration.html#7 -
"port 123" was just indicating some random number :)
HA-proxy is surely doing (application level) routing. It routes to a particular backend depending on the access control list match.
On internet there is a lot of HA-proxy documentation, but not related to the pfSense package version.
In general the pfSense package version is easier to use, but has less options.
Also note I did find an example yet where someone is routing http based on domain. I did find examples based on path, which are probably closely related.
I will have a look at the given link, but in the pfSense package version I have only three options:
- http /https (offloading)
- ssl / https(TCP- mode)
- tcp
Option 2) and 3) are surely not appropriate, so the only option which IMHO could work is option 1)
-
@louis2 tcp is your option, ie 3.
And then use acl's as seen in examples.
Since this is a networking forum, we tend to use the term routing in a strict context.
afaik, the haproxy implementation has the same options as the open source version, albeit the web interface isn't exploring many of them in an intuitive way.
-
When using tcp as type, the shown acl options in the gui do not match what I need (selection on host or IMHO domain).
What comes near as example is
https://www.linode.com/docs/guides/how-to-configure-haproxy-http-load-balancing-and-health-checks/where path and not host is used as criteria and http as type which is not available in the pfSense HA-gui
-
How about custom?
and then an action.
Yes it is not intuitive or easy, and no, I don't have that much experience on that, but the options exist.
