Hello All,
I have this config :
OpnSense : 23.1.5_4
Theses subs works fine behind a public services with TYPE : SSL/HTTPS
sub1.domain1.com --> IP : A.A.A.A :443
sub2.domain1.com --> IP : A.A.A.A :443
I have this subdomain works fine (only if below public service is disabled) behind a public services with TYPE : tcp
sub1.domain2.com --> IP : A.A.A.A :443
But i can't enabled theses 2 public services in same time.
The public service in tcp mode display :
503 Service Unavailable
No server is available to handle this request.
----------------------- Configs -------------------------
Listen Addresses : sub1.domain2.com:443
Type : TCP
Rules :
Accept Content if Contains SSL Hello
TCP Inspect DELAY
MY_CUSTOM RULE
--> In RULES
*Accept Content if Contains SSL Hello
IF
Contains SSL Hello Message
AND [default]
execute : tcp-request content accept
*TCP Inspect Delay
IF
Nothing selected
AND [default]
execute : tcp-request inspect-delay
TCP inspection delay 5s
MY_CUSTOM RULE
IF[default]
SNI Match subdomains
AND [default]
Execute : Use specified Backend Pool
Use backend Pool : My-Custom-Bakend
In conditions :
*Contains SSL Hello Message
Type: custom condition (option pass-through)
option : req.ssl_hello_type 1
*SNI Match subdomains
Type : SNI TLS extension regex (TCP request content inspection)
SNI Regex : (sub1)\.domain2\.com
--------------
Can you tell me if it is possible to run a public service that shares the same IP/port but with 2 different modes?
If so, could one of you tell me where I'm going wrong? Because if we activate individually these public services everything works correctly.
Thanks in advance for your help
hi
afaik there is no complains frOm haproxy if there is multiple frontends bindings to the same sockest. but this misconfig is on admin. it "works" because of SO_REUSEPORT using.
https://github.com/haproxy/haproxy/issues/868
https://github.com/haproxy/haproxy/issues/629
OK, thank's !
I must use an other ip :( to solved my problem :(
Quote from: Fright on March 31, 2023, 07:47:44 PMhi
afaik there is no complains frOm haproxy if there is multiple frontends bindings to the same sockest. but this misconfig is on admin. it "works" because of SO_REUSEPORT using.
https://github.com/haproxy/haproxy/issues/868 (https://github.com/haproxy/haproxy/issues/868)
https://github.com/haproxy/haproxy/issues/629 (https://github.com/haproxy/haproxy/issues/629)
So we can't use 2 public services
TYPE : SSL/HTTPS and TCP with same port eg 443 at the same time?
No, basically only a single frontend can listen on an unique IP + port combination.
However, you can create a single TCP frontend listening on port 443, where you filter the incoming traffic with SNI rules and forward certain traffic to an HTTP frontend and the other to somewhere else.
Here is a nice tutorial realizing this: Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating (https://forum.opnsense.org/index.php?topic=23339.0)
Quote from: viragomann on May 30, 2025, 10:31:29 AMNo, basically only a single frontend can listen on an unique IP + port combination.
However, you can create a single TCP frontend listening on port 443, where you filter the incoming traffic with SNI rules and forward certain traffic to an HTTP frontend and the other to somewhere else.
Here is a nice tutorial realizing this: Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating (https://forum.opnsense.org/index.php?topic=23339.0)
Thank you for suggest, I can finish my idea from this guide.