How to force a specific routing based on SNI in HAProxy?

Torsten Bronger

1/23/23, 6:34 PM

I have the following HAProxy configuration:

listen sni-443
    bind *:443
    mode tcp

    timeout connect  4s
    timeout client   3m
    timeout server   3m
    tcp-request inspect-delay 5s
    tcp-request content accept if { req.ssl_hello_type 1 }
    acl no-ssl req.ssl_hello_type 0

    use-server backend1.default.svc.cluster.local if !no-ssl { req_ssl_sni -i www.example.com }
    server  backend1.default.svc.cluster.local  10.96.245.95:443 weight 0

    use-server backend2.default.svc.cluster.local if !no-ssl { req_ssl_sni -i demo.example.com }
    server  backend2.default.svc.cluster.local  10.96.184.199:443 weight 0

If I visit www.example.com, everything is fine. But when I do so after having reloaded demo.example.com with high frequency (hammering on Shift-Ctrl-R in the browser), I end up at demo.example.com. Yes, exactly: I open www.example.com in the browser but HAProxy routes that to backend2 (which returns an error).

Apparently, HAProxy does not fully understand that the two services are not alternatives for load balancing but very distinct products. How can I ensure that www.example.com ends up with backend1?

265

0 + 0

https

haproxy

sni

Michael Hampton

1/24/23, 2:53 PM

Call me old school, but for clarity I prefer to keep separate `frontend` and `backend` sections rather than a mixed `listen` section. Anyway your config otherwise looks fine and I see nothing here that would cause the problem. Do you have something else in front of haproxy?

Torsten Bronger

1/24/23, 5:42 PM

No. But I currently investigate whether that fact that the TLS certs for both backends contain both domains (in other words, the same certificate with aliases) may confuse HAproxy.

Score:1

Server

tbielaszewski

1/24/23, 12:20 PM

This is an example from docs for req_ssl_sni:

tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend bk_allow if { req_ssl_sni -f allowed_sites }
default_backend bk_sorry_page

You probably need tcp-request inspect-delay set to something, because not setting it, means haproxy doesn't wait at all and has no idea what SNI was.
Longer explaination in docs for tcp-request inspect-delay

0 + 0

Torsten Bronger

1/24/23, 1:01 PM

I added further settings to my minimal configuration. They don’t prevent this unfortunate behaviour of HAProxy. What is the difference between `use_backend` and `use-server`? May this be the cause?

tbielaszewski

1/24/23, 7:30 PM

`server` is single IP:PORT service while `backend` is a whole config structure in haproxy, like `listen` or `frontend`, which contains its own rules, ACLs and servers. defining seperate backends and putting servers there could perhaps help seperate those servers further. can you post some haproxy logs, with SNI in them if possible?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How to force a specific routing based on SNI in HAProxy?

TH: จะบังคับการกำหนดเส้นทางเฉพาะตาม SNI ใน HAProxy ได้อย่างไร

RO: Cum să forțezi o anumită rutare bazată pe SNI în HAProxy?

RU: Как принудительно настроить маршрутизацию на основе SNI в HAProxy?

VI: Làm cách nào để buộc định tuyến cụ thể dựa trên SNI trong HAProxy?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.