You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When I hit report-boutique.example.com intermittenly I am being redirected with 307 to boutique.example.com, Few times it works correctly and I get content from report-boutique.example.com
Issue is with haproxy version 2.8.5 where as same configuration working with 2.6.16
Expected Behavior
At any time req_ssl_sni (report-boutique.example.com) should use backend report
Steps to Reproduce the Behavior
Just use haproxy tag with version and 2.8.5 and use same configuration given below (Please use new browser/incognito window every time )
Do you have any idea what may have caused this?
Not at all
Do you have an idea how to solve the issue?
We Wish
What is your configuration?
frontend https-in bind *:443 tcp-request inspect-delay5s maxconn2000000 tcp-request content accept if { req_ssl_hello_type 1 }
# Explicit acl for - will not use default backend portal to prevent DOS acl host_portal req_ssl_sni -i boutique.example.com
acl host_report req_ssl_sni -i report-boutique.example.com
use_backend portal if host_portal
use_backend report if host_report
frontend proxy_services_frontend maxconn50000 bind *:4443 ssl crt /etc/cert/cert.key no-sslv3 no-tlsv11 accept-proxy mode http
http-after-response set-header Strict-Transport-Security "max-age=31536000"
acl portal_api_tag path_beg /api /download
use_backend portal_api if portal_api_tag
http-request redirect code307 location https://boutique.example.com%[path]?%[query]if !portal_api_tag
backend portal server portal1 127.0.0.1:4443 send-proxy maxconn200000
backend portal_api mode http server portal_api1 master-boutique.example.com:8888 check ssl verify none
backend report server report1 master-boutique.example.com:7777 check maxconn200000
Output of haproxy -vv
haproxy -vv
HAProxy version 2.8.5-aaba8d0 2023/12/07 - https://haproxy.org/
Status: long-term supported branch - will stop receiving fixes around Q2 2028.
Known bugs: http://www.haproxy.org/bugs/bugs-2.8.5.html
Running on: Linux 6.5.0-1014-aws #14~22.04.1-Ubuntu SMP Thu Feb 15 15:27:06 UTC 2024 x86_64
Build options :
TARGET = linux-glibc
CPU = generic
CC = cc
CFLAGS = -O2 -g -Wall -Wextra -Wundef -Wdeclaration-after-statement -Wfatal-errors -Wtype-limits -Wshift-negative-value -Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference -fwrapv -Wno-address-of-packed-member -Wno-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-clobbered -Wno-missing-field-initializers -Wno-cast-function-type -Wno-string-plus-int -Wno-atomic-alignment
OPTIONS = USE_LINUX_TPROXY=1 USE_GETADDRINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_TFO=1 USE_PROMEX=1
DEBUG = -DDEBUG_STRICT -DDEBUG_MEMORY_POOLS
Feature list : -51DEGREES +ACCEPT4 +BACKTRACE -CLOSEFROM +CPU_AFFINITY +CRYPT_H -DEVICEATLAS +DL -ENGINE +EPOLL -EVPORTS +GETADDRINFO -KQUEUE -LIBATOMIC +LIBCRYPT +LINUX_CAP +LINUX_SPLICE +LINUX_TPROXY +LUA +MATH -MEMORY_PROFILING +NETFILTER +NS -OBSOLETE_LINKER +OPENSSL -OPENSSL_WOLFSSL -OT -PCRE -PCRE2 -PCRE2_JIT -PCRE_JIT +POLL +PRCTL -PROCCTL +PROMEX -PTHREAD_EMULATION -QUIC -QUIC_OPENSSL_COMPAT +RT +SHM_OPEN +SLZ+SSL -STATIC_PCRE -STATIC_PCRE2 -SYSTEMD +TFO +THREAD +THREAD_DUMP +TPROXY -WURFL -ZLIB
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_TGROUPS=16, MAX_THREADS=256, default=2).
Built with OpenSSL version : OpenSSL 1.0.2zh-fips 30 May 2023
Running on OpenSSL version : OpenSSL 1.0.2zh-fips 30 May 2023
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.4.4
Built with the Prometheus exporter as a service
Built with network namespace support.
Built with libslz for stateless compression.
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Built without PCRE or PCRE2 support (using libc's regex instead)
Encrypted password support via crypt(3): yes
Built with gcc compiler version 11.4.0
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE|BE mux=H2 flags=HTX|HOL_RISK|NO_UPG
fcgi : mode=HTTP side=BE mux=FCGI flags=HTX|HOL_RISK|NO_UPG
<default> : mode=HTTP side=FE|BE mux=H1 flags=HTX
h1 : mode=HTTP side=FE|BE mux=H1 flags=HTX|NO_UPG
<default> : mode=TCP side=FE|BE mux=PASS flags=
none : mode=TCP side=FE|BE mux=PASS flags=NO_UPG
Available services : prometheus-exporter
Available filters :
[BWLIM] bwlim-in
[BWLIM] bwlim-out
[CACHE] cache
[COMP] compression
[FCGI] fcgi-app
[SPOE] spoe
[TRACE] trace
uname -a
Linux 7b208737bad8 6.5.0-1014-aws #14~22.04.1-Ubuntu SMP Thu Feb 15 15:27:06 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Last Outputs and Backtraces
No response
Additional Information
No response
The text was updated successfully, but these errors were encountered:
I can't reproduce your problem. Could you provide logs? That would be difficult to determine what's going on without them. Also you should try to test using a curl command to reproduce.
Also your configuration looks a little bit old fashioned, once you determined the problem you should switch to using ssl_fc_sni directly in a HTTP frontend with an SSL bind, instead of using an intermediate TCP frontend with req_ssl_sni
Detailed Description of the Problem
When I hit report-boutique.example.com intermittenly I am being redirected with 307 to boutique.example.com, Few times it works correctly and I get content from report-boutique.example.com
Issue is with haproxy version 2.8.5 where as same configuration working with 2.6.16
Expected Behavior
At any time req_ssl_sni (report-boutique.example.com) should use backend report
Steps to Reproduce the Behavior
Just use haproxy tag with version and 2.8.5 and use same configuration given below (Please use new browser/incognito window every time )
Do you have any idea what may have caused this?
Not at all
Do you have an idea how to solve the issue?
We Wish
What is your configuration?
Output of
haproxy -vv
Last Outputs and Backtraces
No response
Additional Information
No response
The text was updated successfully, but these errors were encountered: