Streaming live at 10am (PST)

Site hosting with haProxy reverse TCP proxy

I’m trying to use haProxy (v1.8) to route all traffic through to my custom webflow domain (webflow.mysite.com) for specific routes.

I’ve followed the instructions that I found on this forum and can confirm the following:

  • My custom domain webflow.mysite.com has been added to webflow and validated
  • I’ve added the following settings to my haProxy configuration:

backend publicwebflow
http-request set-header Host webflow.mysite.com
server webflow webflow.mysite.com:443 ssl verify none ssl-min-ver TLSv1.2

When I try to update haProxy it receives 503’s from the endpoint, even though I can cURL the webflow site from the proxy box and this is successful.

Webflow doesn’t seem to offer me server logs so it’s difficult to troubleshoot from that end & support doesn’t cover reverse proxies.

If I update haProxy to point at the mysite.webflow.io domain this works without an issue but because it doesn’t pass through the ssl endpoint I can’t remove the webflow badge.

Has anyone come across this issue or have any ideas on a solution?

It appears that the mysite.webflow.com server is not accepting the connection attempt from our server, it gets terminated before it gets to any of the HTTP related messaging. We’re not easily able to run tools like tcpdump on the box to dump traffic between the two hosts.

Thanks!

Update: Managed to track down the issue and has been resolved.
Just posting the solution here incase anyone else comes across something similar in the future.

Solution:
The fix was to remove health checks for the endpoint and add a server name indicator to the server line in addition to using a host header.

The problem stems from the fact the proxy-ssl.webflow.com server is quite strangely configured. It accepts both http and https on port 443 and is hosting for multiple sites, so it needed a forced SSL with SNI indicator on the connection and to avoid health checks against that endpoint…

haproxy by default is just trying to establish an SSH channel so that was just getting rejected outright initially because of the lack of a forced server name in the initial hello packet.

Hope this helps someone.
Happy coding! - Ollie