O HAProxy 1.7.2 se recusa a combinar o Host na ACL

0

Eu tenho um cenário estranho em que o HAProxy está sendo usado para inverter vários sites de proxy a partir de um único IP. Nenhum problema lá, isso funcionou antes em uma versão anterior. Essa instalação mais recente e com uma configuração semelhante se recusa a corresponder a determinados nomes de host e continua direcionando para o back-end padrão. Eu tenho upgrades do haproxy 1.7.2 para 1.7.4, mas o comportamento persiste.

O arquivo de configuração inteiro (domínios modificados) segue ...

# Automaticaly generated, dont edit manually.
# Generated on: 2017-04-03 22:22
global
    maxconn         4096
    log         /var/run/log    local0  err
    stats socket /tmp/haproxy.socket level admin
    uid         80
    gid         80
    nbproc          1
    chroot          /tmp/haproxy_chroot
    daemon
    tune.ssl.default-dh-param   2048
    log-send-hostname       pfSense-HaProxy
    server-state-file /tmp/haproxy_server_state
    # Modern browser compatibility only as mentioned here:
    # https://wiki.mozilla.org/Security/Server_Side_TLS
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK

    ssl-server-verify none
    tune.ssl.maxrecord 1370

listen HAProxyLocalStats
    bind 127.0.0.1:2200 name localstats
    mode http
    stats enable
    stats refresh 60
    stats admin if TRUE
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

frontend my-domain
    bind            0.0.0.0:80 name 0.0.0.0:80   
    bind            0.0.0.0:443 name 0.0.0.0:443 ssl  force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 crt /var/etc/haproxy/my-domain.pem crt /var/etc/haproxy/my-domain  
    mode            http
    log         global
    option          dontlognull
    option          dontlog-normal
    option          httplog
    option          http-server-close
    option          forwardfor
    acl https ssl_fc
    http-request set-header     X-Forwarded-Proto http if !https
    http-request set-header     X-Forwarded-Proto https if https
    maxconn         4096
    timeout client      36000
    option forwardfor
    option http-server-close
    option tcplog

    acl is_websocket hdr(Upgrade) -i WebSocket
    acl is_websocket hdr_beg(Host) -i ws

    http-request set-header X-Forwarded-Port %[dst_port]

    redirect scheme https code 301 if !{ ssl_fc }

    # Remove headers that expose security-sensitive information.
      rspidel ^Server:.*$
      rspidel ^X-Powered-By:.*$
      rspidel ^X-AspNet-Version:.*$
    acl         rancher_acl hdr(host) -i rancher.my-domain.com
    acl         nexus_acl   hdr(host) -i nexus.my-domain.com
    acl         docker-registry_acl hdr(host) -i docker-registry.my-domain.com
    acl         docker-proxy_acl    hdr(host) -i docker-proxy.my-domain.com
    acl         test_acl    hdr(host) -i test.my-domain.com
    acl         pfsense_acl hdr(host) -i pfsense.my-domain.com
    acl         www_my-domain_acl   hdr(host) -i my-domain.com
    acl         www_my-domain_acl   hdr(host) -i www.my-domain.com
    acl         crm_acl hdr(host) -i crm.my-domain.com
    acl         git_acl hdr(host) -i git.my-domain.com
    acl         sonar_acl   hdr(host) -i sonar.my-domain.com
    acl         teamcity_acl    hdr(host) -i teamcity.my-domain.com
    acl         upsource_acl    hdr(host) -i upsource.my-domain.com
    acl         wiki_acl    hdr(host) -i wiki.my-domain.com
    acl         youtrack_acl    hdr(host) -i youtrack.my-domain.com
    acl         hub_acl hdr(host) -i hub.my-domain.com
    use_backend nexus_be_http_ipvANY  if  nexus_acl 
    use_backend docker-registry-be_http_ipvANY  if  docker-registry_acl 
    use_backend docker-registry-proxy-be_http_ipvANY  if  docker-proxy_acl 
    use_backend pfsense_be_http_ipvANY  if  pfsense_acl 
    use_backend rancher_be_http_ipvANY  if  rancher_acl is_websocket 
    use_backend test_be_http_ipvANY  if  test_acl 
    use_backend www_my-domain_be_http_ipvANY  if  www_my-domain_acl 
    use_backend test_be_http_ipvANY  if  crm_acl 
    use_backend test_be_http_ipvANY  if  git_acl 
    use_backend test_be_http_ipvANY  if  sonar_acl 
    use_backend test_be_http_ipvANY  if  teamcity_acl 
    use_backend test_be_http_ipvANY  if  upsource_acl 
    use_backend test_be_http_ipvANY  if  wiki_acl 
    use_backend test_be_http_ipvANY  if  youtrack_acl 
    use_backend test_be_http_ipvANY  if  hub_acl 
    default_backend www_my-domain_be_http_ipvANY

backend nexus_be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          nexus_server 192.168.2.1:8081  

backend docker-registry-be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          nexus-server 192.168.2.1:8082  

backend docker-registry-proxy-be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          nexus-server 192.168.2.1:8083  

backend pfsense_be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          pfsense_server 192.168.2.1:1433 ssl  verify none 

backend rancher_be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          rancher_server 192.168.2.2:8080  

backend test_be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          test-server 192.168.2.1:8000  

backend www_my-domain_be_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    server          wp-dev_shm 192.168.2.2:8000

Não importa o que eu faça, não posso entrar em contato com rancheiro.meu-domínio.com e estou perplexo. Quais condições podem fazer com que as solicitações para thisdoesnt acima sejam direcionadas consistentemente para o backend padrão (ou para 503 quando eu removo a configuração do backend padrão?).

Outro problema que tenho é o registro. Não importa o logging que eu configurei, eu recebo um arquivo de log estático, sem crescimento, com um arquivo binário em vez de um texto real. Eu apreciaria também um exemplo de registro de trabalho (não a questão principal).

    
por Inquisitor Shm 03.04.2017 / 15:30

1 resposta

0

Após classificar a ACL com duas regras para implementar a condição OR.

use_backend rancher_be_http_ipvANY  if  rancher_acl
use_backend rancher_be_http_ipvANY  if  rancher_acl is_websocket
    
por 15.11.2017 / 19:09