This is a tracker for https://github.com/openshift/origin/issues/3926 The frontend fe_no_sni, used for terminating non-SNI connections does not work correctly for either reencrypting or edge terminating connections. This is because it uses backends of the form: use_backend be_edge_http_%[hdr(host), map...... These maps are unused, because hdr(host) is undefined. This is easily fixed by adding 'mode http' to the frontend fe_no_sni definition. NB - 'mode http' is already present in the frontend fe_sni used for SNI termination, so I presume it is just an oversight that it is missing in fe_no_sni.
Fixed with https://github.com/openshift/origin/pull/3937
Currently OSE's latest build is openshift-3.0.1.0-1.git.525.eddc479.el7ose.x86_64 and openshift3/ose-haproxy-router:v3.0.1.0(f9a30218f78c), checked the router haproxy configuation file, the PR#3937 is not merged into OSE yet, QE need a newly-built router image to verify this bug. So move this bug to "MODIFIED" status, once new build come out, help move it to "ON_QA" to notify QE to verify it.
Verified this bug with openshift3/ose-haproxy-router:v3.0.1.900 (53b385781e37), and PASS. frontend fe_no_sni # terminate ssl on edge bind 127.0.0.1:10443 ssl crt /var/lib/haproxy/conf/default_pub_keys.pem accept-proxy mode http # check re-encrypt backends first - path or host based. acl reencrypt base,map_beg(/var/lib/haproxy/conf/os_reencrypt.map) -m found # Search from most specific to general path (host case). use_backend be_secure_%[base,map_beg(/var/lib/haproxy/conf/os_reencrypt.map)] if reencrypt # map to http backend # Search from most specific to general path (host case). # Note: If no match, haproxy uses the default_backend, no other # use_backend directives below this will be processed. use_backend be_edge_http_%[base,map_beg(/var/lib/haproxy/conf/os_edge_http_be.map)] default_backend openshift_default
This fix is available in OpenShift Enterprise 3.1.