I have an HAproxy in TCP mode, with some ssl backends.

I confgured sticky session, as shown in haproxy website

Configuration below :

global
    chroot  /var/lib/haproxy
    log /dev/log  local0 debug
    user    haproxy
    group   haproxy
    pidfile /var/run/haproxy-tep.pid
    stats  socket /var/run/haproxy.stats mode 660 level admin expose-fd listeners
    stats timeout 2m
    maxconn 20480
    nbthread 4
    cpu-map auto:1/1-4 0-3

defaults
    mode tcp
    option tcplog
    retries 3
    option  redispatch
    timeout client 22
    timeout connect 4s
    timeout server 120s
    timeout tunnel 1h
    log-format "%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/ %bq %hr %hs %{+Q}r %[http_first_req]"

#FRONTEND
frontend https-in
    mode tcp
    option tcplog
    log /dev/log  local1 debug
    option socket-stats
    bind *:443
    option socket-stats
    #acl tls req.ssl_hello_type 1
    tcp-request inspect-delay 5s
    #tcp-request content accept if tls
    tcp-request content accept if { req_ssl_hello_type 1 }

    use_backend preprod_nginx if { req_ssl_sni -i preprod.myfakedomain.com }
    use_backend lab_nginx if { req_ssl_sni -i lab.myfakedomain.com }

# BACKEND

backend preprod_nginx
   mode tcp
   log /dev/log local2  debug
   balance roundrobin
   option socket-stats
   # maximum SSL session ID length is 32 bytes.
   stick-table type binary len 32 size 30k expire 30m

   acl clienthello req_ssl_hello_type 1
   acl serverhello rep_ssl_hello_type 2

   # use tcp content accepts to detects ssl client and server hello.
   tcp-request inspect-delay 5s
   tcp-request content accept if clienthello

   # no timeout on response inspect delay by default.
   tcp-response content accept if serverhello

   stick on payload_lv(43,1) if clienthello

   # Learn on response if server hello.
   stick store-response payload_lv(43,1) if serverhello

   option ssl-hello-chk
   server ta-pre-nginx1 192.168.1.51:444 check fall 2 inter 1s send-proxy
   server ta-pre-nginx2 192.168.1.52:444 check fall 2 inter 1s send-proxy


backend lab_nginx
   mode tcp
   log /dev/log local3 debug
   balance roundrobin

   # maximum SSL session ID length is 32 bytes.
   stick-table type binary len 32 size 30k expire 30m

   acl clienthello req_ssl_hello_type 1
   acl serverhello rep_ssl_hello_type 2

   # use tcp content accepts to detects ssl client and server hello.
   tcp-request inspect-delay 5s
   tcp-request content accept if clienthello

   # no timeout on response inspect delay by default.
   tcp-response content accept if serverhello

   stick on payload_lv(43,1) if clienthello

   # Learn on response if server hello.
   stick store-response payload_lv(43,1) if serverhello

   option ssl-hello-chk
   server ta-lab-nginx1 192.168.1.56:444 check fall 2 inter 1s send-proxy
   server ta-lab-nginx2 192.168.1.57:444 check fall 2 inter 1s send-proxy

Thing strange is this configuration works for 10-15sec, and then “lab.myfakedomain.com” acl calls preprod_nginx nbackends, resulting in a “Bad Gateway” error.

I don’t understand what happend.

I you have any idea…

Thank you

I tried many configuration but nothing works.