HAProxy - Browser and Curl Reporting inconsistent results

Question

Environment:

• HAProxy version: 1.5.18
• 2 HAProxy servers w/heartbeat in between

I'm trying to set up an FE/BE that will support:

Connections coming in on one domain/uri get forwarded to another domain (both internal) on a specified port (All backend apps SSL'd and work going directly to them):

 - sub1.domain-a.com/test1 -> newsub1.domain-b.com:30000
 - sub2.domain-a.com/test2 -> newsub2.domain-b.com:20000
 - ...

NOTES:

• If I hit the website directly (not through HAProxy (newsub1.domain-b.com:30000)), the web app functions as expected

In an attempt to do that, here is my config:

haproxy.cfg (relevant sections):

frontend f5
    bind *:443 ssl crt /etc/haproxy/c-and-k.pem
    mode http

    acl path_spgen path_beg -i /spgen
    use_backend be_spgen if path_spgen

    ## Rewrite the sending path to strip off 'spgen'
    reqrep ^([^\ :]*)\ /spgen/(.*)     \1\ /\2  if path_spgen

backend be_spgen
    mode http

    ## Attempt to fix sporadic 'This combination of host and port requires TLS' -- not working
    option httpchk HEAD / HTTP/1.1\r\nHost:\ test1.domain-b.com
    balance source

    server test1 test1.domain-b.com:30000 check ssl ca-file /etc/haproxy/ca.pem

When I try to curl or browser-to https://sub1.domain-a.com/spgen, I end up getting 1 of 2 errors:

• HTTP Status 404 - Not Found -- in this case, I'm getting to the backend server but the config isn't stripping off the '/spgen' as I'd wanted
• Bad Request \n This combination of host and port requires TLS.

If I just re-run the curl or refresh the browser, I can get it to alternate between the errors with enough refreshes/re-runs. Both proxies are running identical configs (and service has been restarted multiple-times to ensure it's loaded).

So my question is two-fold:

• Can anyone identify what's wrong in my reqrep that it's continuing to pass the path (/spgen) to the backend app?
• Can anyone explain why I'm getting getting the 'Bad Request' error occasionally?

TIA!

Answer 1

Your code works for me and strips off /spgen/. Your reqrep rule specifies that it will strip off /spgen/ with a trailing slash, so it will not apply to /spgen without a trailing slash.

To test, I set up a Docker Compose environment with HAProxy as the load balancer and jmalloc/echo-server as the web server. The echo-server displays the HTTP request message, so it's easy to see the details.