HAProxy sometimes selects wrong acl

Question

I'm using HAProxy 1.4.22. I have the following haproxy.conf file:

global
    maxconn 100000
    daemon

defaults
    mode http
    retries 1
    contimeout 8000
    clitimeout 120000
    srvtimeout 120000
    stats enable
    stats uri     /haproxy-stats
    stats auth admin:****************
    option httpchk

frontend http-in
    bind 16.9.13.39:80
    maxconn 100000
    acl is_l1 hdr_end(host) -i l1.mydomain.com
    acl is_l2 hdr_end(host) -i l2.mydomain.com
    acl is_l3 hdr_end(host) -i l3.mydomain.com
    acl is_l0 hdr_end(host) -i mydomain.com
    use_backend lora1 if is_l1
    use_backend lora2 if is_l2
    use_backend lora3 if is_l3
    use_backend lora0 if is_l0
    default_backend lora0

backend lora0
    balance roundrobin
    option forwardfor except 127.0.0.1  # stunnel already adds the header
    server s0 127.0.0.1:5000 check inter 60000

backend lora1
    balance source
    option forwardfor except 127.0.0.1  # stunnel already adds the header
    server s1 127.0.0.1:5001 check inter 60000

backend lora2
    balance source
    option forwardfor except 127.0.0.1  # stunnel already adds the header
    server s2 127.0.0.1:5002 check inter 60000

backend lora3
    balance source
    option forwardfor except 127.0.0.1  # stunnel already adds the header
    server s3 127.0.0.1:5003 check inter 60000

It all works fine. Except, for some 0.2% of the clients. Sometimes when the request comes for l1, l2 or l3. For example:

http://l3.mydomain.com/something

and HAProxy does not match the domain name for some reason and uses default backend instead. I have set up logging in my application and it reports that hostname on the receiving end is in fact "l3.mydomain.com". Here are the headers that my application receives:

host: 'l3.mydomain.com',
'user-agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.4 (KHTML, like Gecko) Chrome/22.0.1229.94 Safari/537.4',
accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
referer: 'http://mydomain.com/menu/2034414/e2e1abb5500ed51391d6351b1cf03695',
'accept-encoding': 'gzip,deflate,sdch',
'accept-language': 'en-US,en;q=0.8',
'accept-charset': 'ISO-8859-1,utf-8;q=0.7,*;q=0.3',
'x-proxy-id': '1407537728',
'x-forwarded-for': '10.201.4.168',
via: '1.1 10.201.255.254 (Mikrotik HttpProxy)'

Questions:

Am I using hdr_end() properly, and is there some special case when matching might fail?

Is there some way log the actual HTTP readers received by HAProxy, but only when nothing is matched and default_backend rule is used?

Answer 1

The problem was that the remote user's proxy sees that both mydomain.com and l3.mydomain.com are the same IP address and tries to reuse the connection. Adding the http-server-close option solved the problem.