HA-proxy How to use Custom ACL's

louis2

I try to forward http packages based on hostname / or better the end of a hostname (domain).

hostname1 => backend1
hostname2 => backend2
etc

I tried to archive that based on HA-frontend type 'tcp' (also see my previous post How to use HA_proxy how to route HTTP)

I did not manage and a suggestion was to use custom ACL's. However I absolutely do not know how to do that (I tried a few things but it did not work)

So I would love to have example or even better the acl I need for this specific problem.

viragomann

@louis2
A non-SSL TCP frontend is not able to detect the host name in any way. It just sees the IP and port, which could be used to select the backend.

The only ways to detect host names in HAproxy is either through SNI or from the host header.
The former requires a TLS request, the latter only works with a HTTP frontend.

louis2

@viragomann

I am not surprised that you have to use a HTTP-frontend. However is that selection available in the pfSense package!?

The option I tried first was http / https (offloading), which did not really work as well (see my previous post How to use HA_proxy how to route HTTP).

So I did switch to tcp mode, which did not work as well and then the advice to use a custom ACL ..... Since that is a problem on itself I did start this tread.

viragomann

@louis2
There are only the two ways to detect the host name, I mentioned above.
Only TLS traffic seems not to be an option. Presuming you use http challenge, Let's encrypt needs to access the webserver via http as long, as you don't have a valid certificate.
So will have to switch to http and troubleshoot your issue.

From your other thread, I guess, the incoming traffic do not match th ACL conditions. But from the given information, I cannot see any reason. Maybe you can post the whole HArpoxy configuration file.

louis2

@viragomann

I can but I do not like sharing the file with the whole community. Can I share that with you only?

Note that I became aware of the problem in the following situation in fact a mistake.

I had a frontend listening to 'port 123' with a not working ACL-rule triggering a certain backend.
However I used the same backend as default backend, so the package destnated to port 123 did arrive at the backend, dispite a not working ACL-rule .....

When I removed the default backend ..... I noticed that the frontend / the acl did not work. So I started actions to make it work ....
without success :(

viragomann

@louis2
Yes, you can send me a pm.
But you could also replace all your host name and IPs with aliases. This data don't need to be true, but they need to be unique.

louis2

@viragomann

How to send a private mail? I went to your private page but could not find the option

viragomann

@louis2
When you click on the three points on the upper right side, there should be an option to start a chat.