The previous discussion: https://forum.vyos.io/t/please-consider-add-tcp-request-content-accept-to-load-balancing-reverse-proxy-config/14235/2
I am trying to set a TCP mode reverse proxy frontend (aka load-balancing reverse-proxy service <name> mode 'tcp') to forward traffic which from a dedicated domain name to vyos http api by SNI base rule, the config like below:
reverse-proxy { backend vyos-api { balance round-robin mode tcp server vyos { address 192.168.255.1 port 8443 } } service tcp443 { listen-address 192.168.255.1 mode tcp port 443 rule 10 { domain-name vyos-api.mgmt.domain set { backend vyos-api } ssl req-ssl-sni } } }
But I kept getting sporadic connection resets for around 70% of my requests.
Then I check with the haproxy config which generate by vyos in /run/haproxy/haproxy.cfg (which generate by /usr/share/vyos/templates/load-balancing/haproxy.cfg.j2), I found that the frontend lack of the config of
tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 }
according to Why is “tcp-request content accept” frontend instruction is required for proper HAProxy SNI-based routing? - Server Fault
in order to make haproxy TCP mode SNI-based routing works, these 2 config should add into the frondend block.
So, please consider add tcp-request content accept to load-balancing reverse proxy config when frontend mode is tcp and the rule config included ssl settings.
For workaround, I had to hack the haproxy.cfg.j2 template for this request
{% if front_config.mode is vyos_defined %} mode {{ front_config.mode }} {# updated #} {% if front_config.mode is vyos_defined('tcp') and front_config.rule is vyos_defined %} {% for rule, rule_config in front_config.rule.items() %} {% if rule_config.ssl is vyos_defined %} # add tcp-request inspect-delay 5s tcp-request content accept if {{ "{" }} req_ssl_hello_type 1 {{ "}" }} {% break %} {% endif %} {% endfor %} {% endif %} {% endif %}