HAProxy 1.7.2 refuses to match Host in ACL

I have a weird scenario where HAProxy is being used to reverse proxy several sites from a single IP. No problem there, this worked before in an earlier version. This latest install and with a similar configuration refuses to match certain host names and keeps directing toward the default backend. I have upgrades from haproxy 1.7.2 to 1.7.4, but the behaviour persists.

The entire configuration file (domains modified) follows...

# Automaticaly generated, dont edit manually.
# Generated on: 2017-04-03 22:22
global
    maxconn         4096
    log         /var/run/log    local0  err
    stats socket /tmp/haproxy.socket level admin
    uid         80
    gid         80
    nbproc          1
    chroot          /tmp/haproxy_chroot
    daemon
    tune.ssl.default-dh-param   2048
    log-send-hostname       pfSense-HaProxy
    server-state-file /tmp/haproxy_server_state
    # Modern browser compatibility only as mentioned here:
    # https://wiki.mozilla.org/Security/Server_Side_TLS
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

    ssl-server-verify none
    tune.ssl.maxrecord 1370

listen HAProxyLocalStats
    bind 127.0.0.1:2200 name localstats
    mode http
    stats enable
    stats refresh 60
    stats admin if TRUE
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

frontend my-domain
    bind            0.0.0.0:80 name 0.0.0.0:80   
    bind            0.0.0.0:443 name 0.0.0.0:443 ssl  force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 crt /var/etc/haproxy/my-domain.pem crt /var/etc/haproxy/my-domain  
    mode            http
    log         global
    option          dontlognull
    option          dontlog-normal
    option          httplog
    option          http-server-close
    option          forwardfor
    acl https ssl_fc
    http-request set-header     X-Forwarded-Proto http if !https
    http-request set-header     X-Forwarded-Proto https if https
    maxconn         4096
    timeout client      36000
    option forwardfor
    option http-server-close
    option tcplog

    acl is_websocket hdr(Upgrade) -i WebSocket
    acl is_websocket hdr_beg(Host) -i ws

    http-request set-header X-Forwarded-Port %[dst_port]

    redirect scheme https code 301 if !{ ssl_fc }

    # Remove headers that expose security-sensitive information.
      rspidel ^Server:.*$
      rspidel ^X-Powered-By:.*$
      rspidel ^X-AspNet-Version:.*$
    acl         rancher_acl hdr(host) -i rancher.my-domain.com
    acl         nexus_acl   hdr(host) -i nexus.my-domain.com
    acl         docker-registry_acl hdr(host) -i docker-registry.my-domain.com
    acl         docker-proxy_acl    hdr(host) -i docker-proxy.my-domain.com
    acl         test_acl    hdr(host) -i test.my-domain.com
    acl         pfsense_acl hdr(host) -i pfsense.my-domain.com
    acl         www_my-domain_acl   hdr(host) -i my-domain.com
    acl         www_my-domain_acl   hdr(host) -i www.my-domain.com
    acl         crm_acl hdr(host) -i crm.my-domain.com
    acl         git_acl hdr(host) -i git.my-domain.com
    acl         sonar_acl   hdr(host) -i sonar.my-domain.com
    acl         teamcity_acl    hdr(host) -i teamcity.my-domain.com
    acl         upsource_acl    hdr(host) -i upsource.my-domain.com
    acl         wiki_acl    hdr(host) -i wiki.my-domain.com
    acl         youtrack_acl    hdr(host) -i youtrack.my-domain.com
    acl         hub_acl hdr(host) -i hub.my-domain.com
    use_backend nexus_be_http_ipvANY  if  nexus_acl 
    use_backend docker-registry-be_http_ipvANY  if  docker-registry_acl 
    use_backend docker-registry-proxy-be_http_ipvANY  if  docker-proxy_acl 
    use_backend pfsense_be_http_ipvANY  if  pfsense_acl 
    use_backend rancher_be_http_ipvANY  if  rancher_acl is_websocket 
    use_backend test_be_http_ipvANY  if  test_acl 
    use_backend www_my-domain_be_http_ipvANY  if  www_my-domain_acl 
    use_backend test_be_http_ipvANY  if  crm_acl 
    use_backend test_be_http_ipvANY  if  git_acl 
    use_backend test_be_http_ipvANY  if  sonar_acl 
    use_backend test_be_http_ipvANY  if  teamcity_acl 
    use_backend test_be_http_ipvANY  if  upsource_acl 
    use_backend test_be_http_ipvANY  if  wiki_acl 
    use_backend test_be_http_ipvANY  if  youtrack_acl 
    use_backend test_be_http_ipvANY  if  hub_acl 
    default_backend www_my-domain_be_http_ipvANY

backend nexus_be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          nexus_server 192.168.2.1:8081  

backend docker-registry-be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          nexus-server 192.168.2.1:8082  

backend docker-registry-proxy-be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          nexus-server 192.168.2.1:8083  

backend pfsense_be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          pfsense_server 192.168.2.1:1433 ssl  verify none 

backend rancher_be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          rancher_server 192.168.2.2:8080  

backend test_be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          test-server 192.168.2.1:8000  

backend www_my-domain_be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          wp-dev_shm 192.168.2.2:8000

No matter what I do, I cannot reach rancher.my-domain.com, and I am stumped. What conditions could possibly cause requests for thisdoesnt above to be consistently directed toward the default backend (or to 503 when I remove the config for the default backend?).

Another issue I have is logging. No matter what logging I set, I get a static, non-growing log file sith binary gunk instead of actual text. I would appreciate a working example logging answer as well (not the main question).

Inquisitor Shm

Posted 2017-04-03T13:30:22.107

Reputation: 818

We'll need to see something that reflects actual, valid HAProxy configuration. hrd(Host) is not valid -- the header fetch is hdr, not hrd. Also, these are just ACL definitions, which do nothing unless actually tested, and we need to see that, as well. First, though, you need the latest 1.7, currently 1.7.5. There are numerous bugfixes since 1.7.2. – Michael - sqlbot – 2017-04-03T17:26:46.337

Uploaded the entire actual config file (just changed the domain names and IPs). Your help greatly appreciated. – Inquisitor Shm – 2017-04-04T02:49:06.723

use_backend rancher_be_http_ipvANY if rancher_acl is_websocket will match only if both rancher_acl and is_websocket match the request. – Michael - sqlbot – 2017-04-04T17:17:53.360

Gotcha. Will try it tonight. – Inquisitor Shm – 2017-04-04T20:04:49.490

FWIW I have the same issues as the OP, 1.7.9 still fails in the same way. I've downgraded to 1.6 with a host map and this seems to work very well – Omar Qureshi – 2017-11-15T18:03:32.260

HAProxy 1.7.2 refuses to match Host in ACL

Answers