[HAProxy] I need help figuring out why webs are not routed properly

[knight52]

Hey, I'm pretty new to HAProxy. I have HAProxy for OPNSense installed. I need to route the websites like this:

aaa.website.com → 10.0.0.20:3000
bbb.website.com → 10.0.0.20:9001

I've followed through a tutorial that uses HAProxy's GUI, but it doesn't work like it should've. When I go to either URL, it always redirects to 10.0.0.20:9001. It feels like the Conditions isn't working.

Here's what I find so far.

    When I disable the bbb.website.com routing, it goes to 10.0.0.20:3000 insteal.
    Nothing changes when I change the conditions between "Host matches", "Host starts with", and "Path starts with"

Here's the config file it generates. Hope you guys can help me figure this out. Where do I do wrong? Thank you.

Code Select Expand


#
# Automatically generated configuration.
# Do not edit this file manually.
#

global
    uid                         80
    gid                         80
    chroot                      /var/haproxy
    daemon
    stats                       socket /var/run/haproxy.socket group proxy mode 775 level admin
    nbproc                      1
    nbthread                    1
    hard-stop-after             60s
    no strict-limits
    tune.ssl.default-dh-param   2048
    spread-checks               2
    tune.bufsize                16384
    tune.lua.maxmem             0
    log                         /var/run/log local0 info
    lua-prepend-path            /tmp/haproxy/lua/?.lua

defaults
    log     global
    option redispatch -1
    timeout client 30s
    timeout connect 30s
    timeout server 30s
    retries 3
    default-server init-addr last,libc

# autogenerated entries for ACLs


# autogenerated entries for config in backends/frontends

# autogenerated entries for stats




# Frontend: aaa.website-frontend ()
frontend aaa.website-frontend
    bind <public ip>:443 name <public ip>:443 ssl  crt-list /tmp/haproxy/ssl/62860e9ae771b1.85868225.certlist
    mode http
    option http-keep-alive
    default_backend aaa.website-pool
    # remove quotes from persistence cookie
    http-request replace-header Cookie '^(.*?; )?(SRVCOOKIE=)"([^;"]*)"(;.*)?$' \1\2\3\4
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: aaa.website-condition
    acl acl_6285f09d52c084.11538800 hdr(host) -i aaa.website.com

    # ACTION: aaa.website-rule
    use_backend minio-pool if acl_6285f09d52c084.11538800

# Frontend: bbb.website-frontend ()
frontend bbb.website-frontend
    bind <PUBLIC IP>:443 name <PUBLIC IP>:443 ssl  crt-list /tmp/haproxy/ssl/628b4dc076fb31.08116587.certlist
    mode http
    option http-keep-alive
    default_backend bbb.website-pool
    # remove quotes from persistence cookie
    http-request replace-header Cookie '^(.*?; )?(SRVCOOKIE=)"([^;"]*)"(;.*)?$' \1\2\3\4
    option forwardfor
    # tuning options
    timeout client 30s

    # logging options
    # ACL: bbb.website-condition
    acl acl_628b4d6be9ca63.54049274 hdr(host) -i bbb.website.com

    # ACTION: bbb.website-rule
    use_backend bbb.website-pool if acl_628b4d6be9ca63.54049274

# Backend: aaa.website-pool ()
backend aaa.website-pool
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    cookie SRVCOOKIE prefix
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server AAAWebsite 10.0.0.20:9001 cookie 6285ea40a5676578102176

# Backend: bbb.website-pool ()
backend bbb.website-pool
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m 
    cookie SRVCOOKIE prefix
    # tuning options
    timeout connect 30s
    timeout server 30s
    http-reuse safe
    server BBBWebsite 10.0.0.20:3000 cookie 628b4c8a370ce282698357


[Bunch]

A frontend is a listener, listening a specific post of a specific IP.
However, one port of a IP can bind with one frontend at a time.
When you have 2 frontend listening to the the same port of same IP,  only one of them will work.
That's why you find only one of them work.

The process to make a simple HAProxy work:
(Assume all real server are http services, and you don't need to redirect port 80 to 443)
I won't write too detail, you may need to fill in other stuffs like cert etc.
1. Create real servers
2. Create backends, each real server should have at least one backend
3. Create conditions to check sni (example: SNI TLS extension matches (TCP request...), aaa.website.com), until you make all condition
4. Create rules to redirect to a backend if specific condition is true, one rule for each condition
Example:
Name=aaa_ru, if, aaa_cond, use specific backend, aaa_back
5. Create 1 frontend listening to "WAN IP"*#:443, put all rules you created in 4 to rules part.

#If you have dynamic IP, you might need to create a Loopback VIP, frontend bind to that VIP, firewall port forward set to that VIP.

If you need more advanced setting, you may check
https://forum.opnsense.org/index.php?topic=23339.0

[knight52]

Ah, that's it. Just need to include two conditions into one front end.

Thanks for pointing that out.