Após classificar a ACL com duas regras para implementar a condição OR.
use_backend rancher_be_http_ipvANY if rancher_acl
use_backend rancher_be_http_ipvANY if rancher_acl is_websocket
Eu tenho um cenário estranho em que o HAProxy está sendo usado para inverter vários sites de proxy a partir de um único IP. Nenhum problema lá, isso funcionou antes em uma versão anterior. Essa instalação mais recente e com uma configuração semelhante se recusa a corresponder a determinados nomes de host e continua direcionando para o back-end padrão. Eu tenho upgrades do haproxy 1.7.2 para 1.7.4, mas o comportamento persiste.
O arquivo de configuração inteiro (domínios modificados) segue ...
# Automaticaly generated, dont edit manually.
# Generated on: 2017-04-03 22:22
global
maxconn 4096
log /var/run/log local0 err
stats socket /tmp/haproxy.socket level admin
uid 80
gid 80
nbproc 1
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
log-send-hostname pfSense-HaProxy
server-state-file /tmp/haproxy_server_state
# Modern browser compatibility only as mentioned here:
# https://wiki.mozilla.org/Security/Server_Side_TLS
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
ssl-server-verify none
tune.ssl.maxrecord 1370
listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats refresh 60
stats admin if TRUE
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000
frontend my-domain
bind 0.0.0.0:80 name 0.0.0.0:80
bind 0.0.0.0:443 name 0.0.0.0:443 ssl force-tlsv12 no-sslv3 no-tlsv10 no-tlsv11 crt /var/etc/haproxy/my-domain.pem crt /var/etc/haproxy/my-domain
mode http
log global
option dontlognull
option dontlog-normal
option httplog
option http-server-close
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
maxconn 4096
timeout client 36000
option forwardfor
option http-server-close
option tcplog
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
http-request set-header X-Forwarded-Port %[dst_port]
redirect scheme https code 301 if !{ ssl_fc }
# Remove headers that expose security-sensitive information.
rspidel ^Server:.*$
rspidel ^X-Powered-By:.*$
rspidel ^X-AspNet-Version:.*$
acl rancher_acl hdr(host) -i rancher.my-domain.com
acl nexus_acl hdr(host) -i nexus.my-domain.com
acl docker-registry_acl hdr(host) -i docker-registry.my-domain.com
acl docker-proxy_acl hdr(host) -i docker-proxy.my-domain.com
acl test_acl hdr(host) -i test.my-domain.com
acl pfsense_acl hdr(host) -i pfsense.my-domain.com
acl www_my-domain_acl hdr(host) -i my-domain.com
acl www_my-domain_acl hdr(host) -i www.my-domain.com
acl crm_acl hdr(host) -i crm.my-domain.com
acl git_acl hdr(host) -i git.my-domain.com
acl sonar_acl hdr(host) -i sonar.my-domain.com
acl teamcity_acl hdr(host) -i teamcity.my-domain.com
acl upsource_acl hdr(host) -i upsource.my-domain.com
acl wiki_acl hdr(host) -i wiki.my-domain.com
acl youtrack_acl hdr(host) -i youtrack.my-domain.com
acl hub_acl hdr(host) -i hub.my-domain.com
use_backend nexus_be_http_ipvANY if nexus_acl
use_backend docker-registry-be_http_ipvANY if docker-registry_acl
use_backend docker-registry-proxy-be_http_ipvANY if docker-proxy_acl
use_backend pfsense_be_http_ipvANY if pfsense_acl
use_backend rancher_be_http_ipvANY if rancher_acl is_websocket
use_backend test_be_http_ipvANY if test_acl
use_backend www_my-domain_be_http_ipvANY if www_my-domain_acl
use_backend test_be_http_ipvANY if crm_acl
use_backend test_be_http_ipvANY if git_acl
use_backend test_be_http_ipvANY if sonar_acl
use_backend test_be_http_ipvANY if teamcity_acl
use_backend test_be_http_ipvANY if upsource_acl
use_backend test_be_http_ipvANY if wiki_acl
use_backend test_be_http_ipvANY if youtrack_acl
use_backend test_be_http_ipvANY if hub_acl
default_backend www_my-domain_be_http_ipvANY
backend nexus_be_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server nexus_server 192.168.2.1:8081
backend docker-registry-be_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server nexus-server 192.168.2.1:8082
backend docker-registry-proxy-be_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server nexus-server 192.168.2.1:8083
backend pfsense_be_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server pfsense_server 192.168.2.1:1433 ssl verify none
backend rancher_be_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server rancher_server 192.168.2.2:8080
backend test_be_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server test-server 192.168.2.1:8000
backend www_my-domain_be_http_ipvANY
mode http
log global
timeout connect 30000
timeout server 30000
retries 3
server wp-dev_shm 192.168.2.2:8000
Não importa o que eu faça, não posso entrar em contato com rancheiro.meu-domínio.com e estou perplexo. Quais condições podem fazer com que as solicitações para thisdoesnt acima sejam direcionadas consistentemente para o backend padrão (ou para 503 quando eu removo a configuração do backend padrão?).
Outro problema que tenho é o registro. Não importa o logging que eu configurei, eu recebo um arquivo de log estático, sem crescimento, com um arquivo binário em vez de um texto real. Eu apreciaria também um exemplo de registro de trabalho (não a questão principal).