How to use host as HAProxy calculated backend target?

Question

I'm wanting to intercept TCP traffic then forward everything else to their respective back-end servers. I have an internal DNS with matching domain to the wildcard external ingress.

I'm thinking something like the following, but I suspect this is not supported as HAProxy verifies the backend at start and this would not resolve to anything.

server all { req.hdr(host) }:443 check ssl verify none

My full configuration follows:

# This file is managed by Puppet global chroot /var/lib/haproxy daemon group haproxy log 172.22.91.180 local0 maxconn 4000 pidfile /var/run/haproxy.pid user haproxy defaults log global maxconn 8000 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 1m timeout check 10s frontend waf-server bind 172.22.91.180:443 mode tcp option tcplog tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } use_backend load-balancer if { req_ssl_sni -i rdg.example.com } default_backend reverse-proxy backend load-balancer balance roundrobin server blue rd1.example.com:443 check server green rd2.example.com:443 check backend reverse-proxy mode tcp server loopback-terminated abns@haproxy-terminate send-proxy-v2 frontend https-terminated mode http stats enable bind abns@haproxy-terminate accept-proxy ssl crt /etc/ssl/private/fullchain.cer use_backend jenkins if { req.hdr(host) -i jenkins.example.com } use_backend puppet if { req.hdr(host) -i puppet.example.com } backend jenkins mode http option forwardfor option http-server-close http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains" server jenkins jenkins.example.com:443 check ssl verify none backend puppet mode http option forwardfor option http-server-close http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains" server puppet puppet.example.com:443 check ssl verify none 

Answer 1

In short, each back-end has to be explicitly defined. I was able to reduce the manual errors by using Puppet to generate all the back-ends I needed, a snippet follows

# In modules/haproxy/manifests/backend.pp define waf_server::dynamic_backend ( String $backend_name, String $host, ) { haproxy::backend { $backend_name: mode => 'http', options => [ { 'option' => 'forwardfor' }, { 'option' => 'http-server-close' }, { 'http-request' => 'set-header X-Forwarded-Port %[dst_port]' }, { 'http-request' => 'add-header X-Forwarded-Proto https' }, { 'http-response' => 'set-header Strict-Transport-Security "max-age=15552000; includeSubDomains"' }, { 'server' => "${backend_name} ${host}:443 check ssl verify none" }, ], } } 

and in init.pp

 $backends = { 'jenkins' => 'jenkins.example.com', 'puppet' => 'puppet.example.com', } $options = $backends.map |$backend, $host| { { 'use_backend' => "${backend} if { req.hdr(host) -i ${host} }" } } haproxy::frontend { 'https-terminated': mode => 'http', bind => { 'abns@haproxy-terminate' => ['accept-proxy', 'ssl', 'crt', '/etc/ssl/private/fullchain.pem'] }, options => [ { 'option' => 'httplog' } # enable HTTP Access logging ] + $backends.map |$backend, $host| { { 'use_backend' => "${backend} if { req.hdr(host) -i ${host} }" } }, require => Haproxy::Backend[$backends.keys], # Ensure all backends are created first }