Haproxy SNI filtering ahead of rathole doesn't work well

[WGandy]

To start with, I'm not sure that this is an issue with Rathole. It may have to do with SNI filter in general or an issue with haproxy. But I figured it would be good to report it here as I'm finding it when working in conjunction with Rathole.

I've been playing around with routing traffic through a VPS to a local server (or multiple servers) without terminating the TLS at the VPS. It works fine with rathole just passing 443 traffic to a server AND with haproxy in front of it, albeit doing almost nothing. But, when I try to use SNI filtering in haproxy to route traffic from specific domain names to specific servers, I get many issues. Sometimes the server is unreachable. Other times it appears to work but is very slow. Other times it works for a short while and then goes un-reachable after some period of time (minutes to perhaps hours).

Here are example haproxy and rathole configs. I'm running both of these in Docker with a docker compose file. The rathole container is called rathole and so "rathole:443" from the haproxy container routes to the rathole container. Rathole then sends off to Caddy also running on the local server which handles the certificates.

Running ubuntu 22.04 on the VPS. Haproxy 2.7.6 Rathole 0.4.7 Caddy 2

Example haproxy file:

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
 daemon
 user                haproxy
 group               haproxy
 log                 /dev/log local6 debug
 maxconn             5000
 #chroot              /var/lib/haproxy
 #pidfile             /var/run/haproxy.pid

#---------------------------------------------------------------------
# common defaults 
#---------------------------------------------------------------------
defaults
 mode                 tcp
 log                  global
 option               dontlognull
 timeout connect      5s
 timeout client       10s
 timeout server       10s

listen stats
 bind :9000
 mode http
 stats enable
 stats hide-version
 stats realm Haproxy\ Statistics
 stats uri /haproxy_stats
 #stats uri stats.example.com
 stats auth myuser:myuser

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------

frontend main_https_listen
 bind *:443
 mode tcp
 acl test_filter req_ssl_sni -i test.example.com
 use_backend test_backend if test_filter

#---------------------------------------------------------------------
# Backends
#---------------------------------------------------------------------

backend test_backend
 mode tcp
 server mainserver_443 rathole:443

Example rathole server file:

[server]
bind_addr = "0.0.0.0:2714"
default_token = "TOKEN1"

[server.transport]
type = "noise"
[server.transport.noise]
local_private_key = "xxxxxxxxxxxxxxxxxx"

[server.services.https]
bind_addr = "0.0.0.0:443"

example rathole client file:

[client]
default_token = "TOKEN1"
remote_addr = "rathole.example.com:2714" 

[client.transport]
type = "noise"
[client.transport.noise]
remote_public_key = "xxxxxxxxxxxxxxxxxxxxxxx"

[client.services.https]
local_addr = "caddy:443"

[fernvenue]

Is it work well without rathole?

[WGandy]

Is it work well without rathole?

I have not yet done a complete isolation of haproxy from rathole in order to rule out all combinations. It may very well be that I don't have a good SNI haproxy config. It's a bit challenging to test this because I need rathole to tunnel down to my servers. Most of my VPS's are small and running a full app can eat up all the RAM.

[fernvenue]

Could you please provide your Haproxy and rathole log information?