Please consider add tcp-request content accept to load-balancing reverse proxy config

Feature requests
1

I am trying to set a TCP mode reverse proxy frontend (aka load-balancing reverse-proxy service <name> mode 'tcp') to forward traffic which from a dedicated domain name to vyos http api by SNI base rule, the config like below:

reverse-proxy {
     backend vyos-api {
         balance round-robin
         mode tcp
         server vyos {
             address 192.168.255.1
             port 8443
         }
     }
     service tcp443 {
         listen-address 192.168.255.1
         mode tcp
         port 443
         rule 10 {
             domain-name vyos-api.mgmt.domain
             set {
                 backend vyos-api
             }
             ssl req-ssl-sni
         }
     }
 }

But I kept getting sporadic connection resets for around 70% of my requests.
Then I check with the haproxy config which generate by vyos in /run/haproxy/haproxy.cfg (which generate by /usr/share/vyos/templates/load-balancing/haproxy.cfg.j2), I found that the frontend lack of the config of

tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }

according to Why is “tcp-request content accept” frontend instruction is required for proper HAProxy SNI-based routing? - Server Fault
in order to make haproxy TCP mode SNI-based routing works, these 2 config should add into the frondend block.

So, please consider add tcp-request content accept to load-balancing reverse proxy config when frontend mode is tcp.

For workaround, I had to hack the haproxy.cfg.j2 template for this request

{%         if front_config.mode is vyos_defined %}
    mode {{ front_config.mode }}
{# updated #}
{%             if front_config.mode is vyos_defined('tcp') and front_config.rule is vyos_defined %}
{%                  for rule, rule_config in front_config.rule.items() %}
{%                     if rule_config.ssl is vyos_defined %}
    # add
    tcp-request inspect-delay 5s
    tcp-request content accept if {{ "{" }} req_ssl_hello_type 1 {{ "}" }} 
{%                      break %}
{%                     endif %}
{%                  endfor %}
{%             endif %}
{%         endif %}
2

It should check not only TCP but also SSL options in the rule.
Can you add a feature request on https://vyos.dev/ and PR?

3

thanks, I am registring to this web site https://vyos.dev/, still pending for approve,
are you able to approve my register?
I had update the code block, I had test from local, it should work

{%         if front_config.mode is vyos_defined %}
    mode {{ front_config.mode }}
{# updated #}
{%             if front_config.mode is vyos_defined('tcp') and front_config.rule is vyos_defined %}
{%                  for rule, rule_config in front_config.rule.items() %}
{%                     if rule_config.ssl is vyos_defined %}
    # add
    tcp-request inspect-delay 5s
    tcp-request content accept if {{ "{" }} req_ssl_hello_type 1 {{ "}" }} 
{%                      break %}
{%                     endif %}
{%                  endfor %}
{%             endif %}
{%         endif %}
4

I dont think this should be hooked to the use of “tcp” but rather the use of “ssl” within the rule.

That is because tcp on its own can be other things than just https that one for whatever reason want to loadbalance.

5

yes, you are right, I had updated the condition to detect ssl config for this block