Haproxy multiple backends accessed with same path

1
votes

I have 4 java apps running on my server, 2 primary & 2 subapps, that I need to access via Haproxy.

app1 ----> listens on tcp:8442 accessed at app1.domain.org subapp1 ----> listens on tcp:9001 and is accessed with path app1.domain.org/abc

app2 ----> listens on tcp:8444 accessed at app2.domain.org subapp2 ----> listens on tcp:9000 and is accessed with path app2.domain.org/abc

so the sub apps are both accessed using the same path

I'm having trouble getting Haproxy to route requests to the correct sub app. With the included config accessing the primary apps is working fine, but depending on the order of the use_backend statements, all sub app requests are being routed to the same back end (which ever is listed first). No difference is observed if I reorder the ACL's though. It seems like the ACL's are not correctly matching the inbound request.

Any help is appreciated!

my config: 

global
    log localhost   local1  
    log-send-hostname server-hostname   
    maxconn 1024                
    user root                   
    group root                  
    daemon                      
    pidfile /var/run/haproxy.pid
    ssl-default-bind-options no-sslv3 no-tls-tickets  

defaults
    log global                  
    mode http                   
    option  dontlognull         
    option forwardfor           
    no option http-server-close  
    no option accept-invalid-http-request   
    timeout client 600s                     
    timeout client-fin 10s                  
    timeout server 600s                     
    stats enable
    stats auth user:password
    stats uri /haproxyStats

listen admin
    mode http
    bind *:8080
    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /
    stats auth user:password

frontend http-in
    bind *:80                           
    acl invalid_src  src          0.0.0.0/7 224.0.0.0/3
    acl invalid_src  src_port     0:1023            
    http-request deny if invalid_src                    
    option tcplog                       
    log-format %ci\ %f\ %b\ %ST\ %{+Q}r\ %Tr   
    redirect scheme https code 301 if !{ ssl_fc }   

frontend https-in
    bind *:443 ssl crt /etc/haproxy/ssl.cert        
    mode http

    acl test_sapp path_beg -i /abc 
    acl test_sapp hdr(host) -m dom -i *app2.domain.com*

    acl prod_sapp path_beg -i /abc 
    acl prod_sapp hdr(host) -m dom -i *app1.domain.com*

    acl test_app1 hdr_end(host) -i app2.domain.com
    acl prod_app1 hdr_end(host) -i app1.domain.com

    acl invalid_src  src          0.0.0.0/7 224.0.0.0/3
    acl invalid_src  src_port     0:1023            
    http-request deny if invalid_src
    option tcplog   
    log-format %r
    reqadd X-Forwarded-Proto:\ https                

    use_backend sapp-test if test_sapp
    use_backend sapp-prod if prod_sapp

    use_backend app-prod if prod_app1
    use_backend app-test if test_app1

    timeout client 600s                 
    timeout client-fin 10s              

backend app-prod
    balance leastconn
    option httpclose
    option forwardfor
    server prod-web-node 127.0.0.1:8442 cookie A check 
    timeout server 600s                 

backend app-test
    option httpclose
    option forwardfor
    server test-web-node 127.0.0.1:8444 cookie A check
    timeout server 600s                 

backend sapp-prod
    balance leastconn
    option httpclose
    option forwardfor
    server prod-mdr-node 127.0.0.1:9001 cookie A check
    timeout server 600s                 

backend sapp-test
    balance leastconn
    option httpclose
    option forwardfor
    server test-mdr-node 127.0.0.1:9000 cookie A check
    timeout server 600s
1
haproxy

1 Answers

4
votes

This is untested but I think this https-in frontend should work:

frontend https-in
    bind *:443 ssl crt /etc/haproxy/ssl.cert        
    mode http

    acl prod_domain hdr(host) -i app1.domain.com
    acl test_domain hdr(host) -i app2.domain.com

    acl sub_app path_beg -i /abc 

    acl invalid_src  src          0.0.0.0/7 224.0.0.0/3
    acl invalid_src  src_port     0:1023            
    http-request deny if invalid_src
    option tcplog   
    log-format %r
    reqadd X-Forwarded-Proto:\ https                

    use_backend sapp-test if sub_app test_domain
    use_backend sapp-prod if sub_app prod_domain

    use_backend app-prod if prod_domain
    use_backend app-test if test_domain

    timeout client 600s                 
    timeout client-fin 10s

The key is on the use_backend sapp-test and use_backend sapp-prod lines where the backend is only selected if both the sub_app acl and the test_domain/prod_domain acl are true. Otherwise it falls back to either the app-prod or app-test backends.

Hope that helps :)