HAPROXY : Multiple Public Services on same IP, PORT but mode TCP and SSL/HTTPS

Started by Dead-Red, March 31, 2023, 04:16:34 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 31, 2023, 04:16:34 PM
Hello All,

I have this config :

OpnSense :     23.1.5_4

Theses subs works fine behind a public services with TYPE : SSL/HTTPS

sub1.domain1.com --> IP : A.A.A.A :443
sub2.domain1.com --> IP : A.A.A.A :443

I have this subdomain works fine (only if below public service is disabled) behind a public services with TYPE : tcp

sub1.domain2.com --> IP : A.A.A.A :443

But i can't enabled theses 2 public services  in same time.
The public service in tcp mode display :

503 Service Unavailable
No server is available to handle this request.

----------------------- Configs -------------------------

Listen Addresses : sub1.domain2.com:443
Type : TCP

Rules :

Accept Content if Contains SSL Hello
TCP Inspect DELAY
MY_CUSTOM RULE

--> In RULES
*Accept Content if Contains SSL Hello
IF
Contains SSL Hello Message
AND [default]

execute : tcp-request content accept

*TCP Inspect Delay
IF
Nothing selected
AND [default]

execute : tcp-request inspect-delay
TCP inspection delay 5s

MY_CUSTOM RULE
IF[default]
SNI Match subdomains
AND [default]
Execute : Use specified Backend Pool
Use backend Pool : My-Custom-Bakend

In conditions :

*Contains SSL Hello Message
Type: custom condition (option pass-through)
option : req.ssl_hello_type 1

*SNI Match subdomains
Type : SNI TLS extension regex (TCP request content inspection)
SNI Regex : (sub1)\.domain2\.com

--------------



Can you tell me if it is possible to run a public service that shares the same IP/port but with 2 different modes?

If so, could one of you tell me where I'm going wrong? Because if we activate individually these public services everything works correctly.

Thanks in advance for your help


March 31, 2023, 07:47:44 PM #1
hi
afaik there is no complains frOm haproxy if there is multiple frontends bindings to the same sockest. but this misconfig is on admin. it "works" because of SO_REUSEPORT using.
https://github.com/haproxy/haproxy/issues/868
https://github.com/haproxy/haproxy/issues/629

April 01, 2023, 06:25:24 PM #2
OK, thank's !

I must use an other ip :( to solved my problem :(
May 30, 2025, 09:40:19 AM #3
Quote from: Fright on March 31, 2023, 07:47:44 PMhi
afaik there is no complains frOm haproxy if there is multiple frontends bindings to the same sockest. but this misconfig is on admin. it "works" because of SO_REUSEPORT using.
https://github.com/haproxy/haproxy/issues/868
https://github.com/haproxy/haproxy/issues/629
So we can't use 2 public services TYPE : SSL/HTTPS and TCP with same port eg 443 at the same time?
May 30, 2025, 10:31:29 AM #4
No, basically only a single frontend can listen on an unique IP + port combination.

However, you can create a single TCP frontend listening on port 443, where you filter the incoming traffic with SNI rules and forward certain traffic to an HTTP frontend and the other to somewhere else.
Here is a nice tutorial realizing this: Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
June 01, 2025, 04:44:00 PM #5
Quote from: viragomann on May 30, 2025, 10:31:29 AMNo, basically only a single frontend can listen on an unique IP + port combination.

However, you can create a single TCP frontend listening on port 443, where you filter the incoming traffic with SNI rules and forward certain traffic to an HTTP frontend and the other to somewhere else.
Here is a nice tutorial realizing this: Tutorial 2024/06: HAProxy + Let's Encrypt Wildcard Certificates + 100% A+ Rating
Thank you for suggest, I can finish my idea from this guide.
Print
Go Up Pages1
User actions