To redirect several subdomains on the same IP to different hosts, I'm using haproxy (1.7.5, Debian stable) and it works fine. However I also want to restrict access to some hosts by IP and display a clean message (proper 403 error page) to rejected hosts, and that's where I can't find a solution.
The best I have so far is a configuration that use a "reject" backend; however I don't know how to configure this one to get anything but SSL Errors from the browser end.
The configuration looks like that:
frontend http_redirect
bind *:80
redirect scheme https if !{ ssl_fc }
frontend tls_router
bind *:443
mode tcp
option tcplog
option tcpka
acl demo_acl req_ssl_sni -i demo.myhost.org
acl www_acl req_ssl_sni -i www.myhost.org
acl demo_network_allowed src 10.1.1.0/24
use_backend demo_tls if demo_acl
use_backend wwww_tls if www_acl
use_backend reject_access if demo_acl !demo_network_allowed
backend www_tls
mode tcp
option tcpka
server www_srv 192.168.1.2:443
backend demo_tls
mode tcp
option tcpka
server demo_srv 192.168.1.3:443
backend reject_access
mode http
# errorfile 403 /etc/haproxy/errors/403.http
# server demo 192.168.1.2:443
http-request set-path www.myhost.org/403.html
http-request redirect scheme https if ! { ssl_fc }
As is clear from the "reject_access" backend, I tried several things with the same result:
$ LANG=C wget --no-check-certificate -S https://demo.myhost.org
--2019-07-01 18:48:31-- https://demo.host.org/
Résolution de demo.myhost.org? 10.12.24.1
Connexion à demo.myhost.org|10.12.24.1|:443? connecté.
OpenSSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
Incapable d'établir une connexion SSL.
Any help in this configuration welcome.
You can't change url for ssl request in tcp mode. You have to terminate ssl in haproxy
Error says it can't make ssl connection. Reject backend makes http request to 443
Edit, example of SSL termination