when we hit https://abc.domain.com/global its able to reach the backend server but the page keeps on loading. direct links to backend servers work and able to telnet to the servers as well. for ex https://srv1:8180/D2 and https://srv2:8180/D2 works
Could anyone please suggest what is missing? this is my first handson on haproxy. Selinux is disabled. haproxy server on redhat 7.9 and haproxy version 1.7.1
Below is the configuration file
defaults
mode http
log global
option httplog
#option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 10m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
stats auth *:*
frontend https-in
mode http
bind *:443 ssl crt /etc/pki/tls/private/haproxy.pem
# redirect scheme https if !{ ssl_fc }
acl test_host hdr(host) -i abc.domain.com
acl d2nsh path_beg -i /global
use_backend testd2nsh if test_host d2nsh
frontend http-in
bind *:80
mode http
option httplog
##
acl test_host hdr(host) -i abc.domain.com
##
acl d2nsh path_beg -i /global
##
##
backend testd2nsh
mode http
balance roundrobin
option httpclose
option forwardfor
cookie JSESSIONID prefix nocache
reqrep ^([^\ :]*)\ /global/(.*) \1\ /D2/\2
server srv1_8180 srv1:8180 ssl verify none check cookie s1
server srv1_8190 srv1:8190 ssl verify none check cookie s2
server srv2_8180 srv2:8180 ssl verify none check cookie s3
server srv2_8190 srv2:8190 ssl verify none check cookie s4
##
Which version of HAProxy do your use?
haproxy -vv
Just a wild guess but on the srv*:8180 does not exist the /global URL and your get a redirect to https://srv*:8180/D2
If this is the case then try to set the path in the backend.
http-request set-path
backend testd2nsh
# other configs
http-request set-path /D2
# rest of the config
Some of servers and applications can be configured to know that they run behind a reverse Proxy and adopt the redirects like the tomcat
Related
I have haproxy setup in a 6 server node web application setup. 2 front end servers. 2 web servers. 2 database servers.
I recently added ssl certificates and redirection for all the sites running on the servers. We run Drupal multiside setup. So each site has its own apache config and conf file on the web servers.
The setup seems to work but what happens is SSL redirection fails after a certain amount of time (usually 1 few hours) and I have to keep restarting haproxy to fix it. I suspect either its a setup issues with my haproxy or I am going about this the wrong way.
Below is my haproxy config file with accounts and ip's munged.
Anyone able to give me any suggestions on what I am doing wrong?
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults
mode tcp
log global
option httplog
option dontlognull
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend web-front *:80
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js
option abortonclose
option http-keep-alive
default_backend web
frontend web-front-ssl *:443
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js
option abortonclose
option http-keep-alive
default_backend web-ssl
listen stats *:9000
maxconn 500
mode http
log global
stats enable
stats refresh 30s
stats hide-version
stats show-node
stats uri /stats
stats auth ******:*******
backend web
balance roundrobin
stick-table type ip size 1m expire 1h
stick on src
server web01 10.10.10.17:80 check maxconn 1000
server web02 10.10.10.18:80 check maxconn 1000
option abortonclose
option http-keep-alive
backend web-ssl
balance roundrobin
stick-table type ip size 1m expire 1h
stick on src
server web01 10.10.10.17:443 check maxconn 1000
server web02 10.10.10.18:443 check maxconn 1000
option abortonclose
option http-keep-alive
It is not clear what you mean by "ssl redirection fails", but since you are saying that this happens after 1 hour, then this is probably about the "expire 1h" in your configuration.
Try to adjust that parameter accordingly.
I want to redirect https://myserver/myapplication/ to https://myserver.domain.com/myapplication/ using haproxy.
This is my haproxy configuration
frontend LB_http
bind 10.123.122.112:80
reqadd X-Forwarded-Proto:\ http
default_backend LB
frontend LB_https
bind 10.123.122.112:443 ssl crt /usr/local/apache2/conf/server.pem
reqadd X-Forwarded-Proto:\ https
default_backend LB
backend LB
redirect scheme https if !{ ssl_fc }
mode http
stats enable
stats hide-version
stats uri /stats
stats realm Haproxy\ Statistics
stats auth haproxy:redhat # Credentials for HAProxy Statistic report page.
balance roundrobin # Load balancing will work in round-robin process.
option httpchk
option httpclose
option forwardfor
server myserver.domain.com myserver.domain.com:80 # backend server.
I have edited the config file by adding the below two lines
acl no_domain hdr(host) -i myserver
http-request redirect code 301 prefix %[hdr(host)].domain.com%[path] if no_domain
But now, when I try
myserver/myapplication/
the url is redirecting multiple times I guess. It is redirecting me to very long url like this
https://myserver/myapplication/myserver.domain.com/myapplication/myserver.domain.com/myapplication/myserver.domain.com/myapplication/myserver.domain.com/myapplication/myserver.domain.com/myapplication/myserver.domain.com/myapplication/
What am I missing?
I have modified the code as below and it started working as expected
frontend LB_http
bind 10.123.122.112:80
reqadd X-Forwarded-Proto:\ http
default_backend LB
frontend LB_https
bind 10.123.122.112:443 ssl crt /usr/local/apache2/conf/server.pem
reqadd X-Forwarded-Proto:\ https
default_backend LB
backend LB
acl no_domain hdr(host) -i myserver
http-request redirect code 301 prefix https:\/\/myserver.domain.com if no_domain
redirect scheme https if !{ ssl_fc }
mode http
stats enable
stats hide-version
stats uri /stats
stats realm Haproxy\ Statistics
stats auth haproxy:redhat # Credentials for HAProxy Statistic report page.
balance roundrobin # Load balancing will work in round-robin process.
option httpchk
option httpclose
option forwardfor
server myserver.domain.com myserver.domain.com:80 # backend server.
Now when I give
myserver/myapplication
it redirects to
https://myserver.domain.com/myapplication
I have a problem where sometimes HaProxy chooses the wrong SSL certificate. The scenario is this, I have 3 domains:
domain1.com
domain2.com
domain3.com
Each domain goes to the same backend, all ssl termination happens on the load balancer. Also each domain has it owns pem file in the designated pem folder.
Sometimes domain2.com will try to use domain1.com certificate, and same for the other domains. A simple refresh fixes it but it shouldn't be. Here is my config:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 10048
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option forwardfor
option http-server-close
option httplog
option dontlognull
timeout connect 5000
timeout client 2000000
timeout server 2000000
frontend http_front
bind *:80
stats uri /haproxy?stats
reqadd X-Forwarded-Proto:\ http
default_backend http_back
frontend www-https
bind *:443 ssl crt /etc/ssl/pems/ #All PEMs here, in seperate files
reqadd X-Forwarded-Proto:\ https
default_backend http_back
backend http_back
redirect scheme https if !{ ssl_fc }
balance roundrobin
server sprout1 x.x.x.x.:80 check
What am I missing in my config?
The reverse proxy of mydomain.com is working, but the subdomain fela.mydomain.com seems to be randomly picking between 172.17.0.59:8080 and 172.17.0.50:8080.
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 10000
timeout server 10000
listen stats
# Uncomment "disabeled" below to disable the stats page :
# disabled
bind :1988
stats uri /
frontend http-in
bind *:80
# Define hosts
acl host_fela hdr(host) -i fela.mydomain.com
acl host_mydomain hdr(host) -i mydomain.com
## figure out which one to use
use_backend mydomain_cluster if host_mydomain
use_backend fela_cluster if host_fela
backend mydomain_cluster
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server node1 172.17.0.50:8080 cookie A check
backend fela_cluster
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server node1 172.17.0.59:8080 cookie A check
If your intention is to strictly forward all the traffic targeted at fela.mydomain.com to 172.17.0.59:8080 use a different name for that cookie.
server node1 172.17.0.59:8080 cookie B check
I have HAProxy as a load balancer and dynamic redirector to my webserver and websocket server so that they can run over the same port. My web socket server requires SSL temination at ha proxy.
I want to configure HAProxy so that http traffic is redirected to https but websockets work on bot port 80 and 443 (ws and wss). Is this possible?
My current config is:
global
maxconn 50000
user root
group root
stats socket /tmp/haproxy
node lb1
nbproc 1
#daemon
#debug
defaults
log global
retries 3
option dontlog-normal
timeout connect 10000ms
timeout client 10000ms
timeout server 10000ms
timeout tunnel 24h
maxconn 50000
mode http
option http-server-close
backend wwwServers
mode http
balance roundrobin
option httpchk HEAD / HTTP/1.1
server www1 127.0.0.1:1138 check
backend wsServers
server ws1 127.0.0.1:1137 check
frontend secured
bind :443 ssl crt /cert/cert.pem
reqadd X-Forwarded-Proto:\ https
default_backend wwwServers
frontend unsecured
bind :80
acl is_websocket hdr(Upgrade) -i WebSocket
use_backend wsServers if is_websocket
redirect scheme https if !{ ssl_fc }
default_backend wwwServers
but this redirects the websocket connection before the upgrade because ha proxy does the following when I run it:
a 'redirect' rule placed after a 'use_backend' rule will still be processed before.
Any help would be appreciated.
Thanks,
The solution was as follows:
frontend secured
bind :443 ssl crt /path/to/certificate.pem
reqadd X-Forwarded-Proto:\ https
acl is_websocket hdr(Upgrade) -i WebSocket
use_backend wsServers if is_websocket
default_backend wwwServers
frontend unsecured
bind :81,:80
acl is_websocket hdr(Upgrade) -i WebSocket
redirect scheme https if !{ ssl_fc } !is_websocket
use_backend wsServers if is_websocket
default_backend wwwServers
if a non ssl non websocket connection is made it is redirected.