The previous discussion: https://forum.vyos.io/t/please-consider-add-tcp-request-content-accept-to-load-balancing-reverse-proxy-config/14235/2
I am trying to set a TCP mode reverse proxy frontend (aka load-balancing reverse-proxy service <name> mode 'tcp') to forward traffic which from a dedicated domain name to vyos http api by SNI base rule, the config like below:
reverse-proxy {
backend vyos-api {
balance round-robin
mode tcp
server vyos {
address 192.168.255.1
port 8443
}
}
service tcp443 {
listen-address 192.168.255.1
mode tcp
port 443
rule 10 {
domain-name vyos-api.mgmt.domain
set {
backend vyos-api
}
ssl req-ssl-sni
}
}
}But I kept getting sporadic connection resets for around 70% of my requests.
Then I check with the haproxy config which generate by vyos in /run/haproxy/haproxy.cfg (which generate by /usr/share/vyos/templates/load-balancing/haproxy.cfg.j2), I found that the frontend lack of the config of
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }according to Why is “tcp-request content accept” frontend instruction is required for proper HAProxy SNI-based routing? - Server Fault
in order to make haproxy TCP mode SNI-based routing works, these 2 config should add into the frondend block.
So, please consider add tcp-request content accept to load-balancing reverse proxy config when frontend mode is tcp and the rule config included ssl settings.
For workaround, I had to hack the haproxy.cfg.j2 template for this request
{% if front_config.mode is vyos_defined %}
mode {{ front_config.mode }}
{# updated #}
{% if front_config.mode is vyos_defined('tcp') and front_config.rule is vyos_defined %}
{% for rule, rule_config in front_config.rule.items() %}
{% if rule_config.ssl is vyos_defined %}
# add
tcp-request inspect-delay 5s
tcp-request content accept if {{ "{" }} req_ssl_hello_type 1 {{ "}" }}
{% break %}
{% endif %}
{% endfor %}
{% endif %}
{% endif %}