Can't reach my subdomain with haproxy

thanh · December 7, 2018, 5:28pm

I have an haproxy(mode http) like this:
# report subdomain
acl report hdr_dom(host) -i report.sample.com
use_backend app_report if report

In Cloudflare DNS, I point A record of ‘report’ subdomain to my IP. I was working without using Cloudflare, but now i got the following error:
# This site can’t be reached
report.sample.com took too long to respond.

Can anyone help? Thanks so much

MarkMeyer · December 7, 2018, 7:08pm

I am not a haproxy guru but the below works for me
Special here is the SSL cobfiguration for ‘vault’. If you want ti use SSL with haproxy you need to tell him ‘forward’ the certificate. It’s not a perfect config but I only need haproxy to save public IPs

global

daemon
maxconn 2560
log /dev/log local0 debug

defaults

option httplog
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

frontend http_in

mode tcp
bind *:80
bind *:443

tcp-request inspect-delay 5s
acl sslv3 req.ssl_ver 3
tcp-request content reject if sslv3
tcp-request content accept if { req_ssl_hello_type 1 }

acl  pihole hdr(host) -i pihole.xxxxx.de
acl vault req_ssl_sni -i vault.xxxxx.de

use_backend pihole if pihole
use_backend vault_ssl if vault



###################################
# pihole  #
###################################
backend pihole
mode tcp
server  pihole 172.30.0.150
###################################
###################################

###################################
# vault                           #
###################################

backend vault_ssl
mode tcp
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello req_ssl_hello_type 2
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
option ssl-hello-chk
server vault 172.30.0.153:443 check

This config is for testing purposes. Especially the SSL configuration could be incomplete. Vault ist running in a locked down zone.

system · January 6, 2019, 7:08pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.