I have one server containing FE app and BE for it. FE listens port 80 and BE is deployed to Tomcat listening default port 8080. HAProxy is used to listen port 443 / handle ssl. Proxying to FE / port 80 works fine, but not to BE / Tomcat listening port 8080. Here's the configuration I'm using:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
maxconn 3072
tune.ssl.default-dh-param 2048
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/ssl.key
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httpchk
option httplog
option dontlognull
option forwardfor
option http-server-close
option http-keep-alive
option abortonclose
option redispatch
retries 3
maxconn 3072
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen stats
bind 0.0.0.0:9000
mode http
frontend http-in
bind *:443 ssl crt /etc/ssl/private/bundle.pem
http-request set-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https if !{ ssl_fc }
# Define hosts
acl host_fe hdr(host) -i fe.domain.com
acl host_be hdr(host) -i be.domain.com
## figure out which one to use
use_backend fecluster if host_fe
use_backend becluster if host_be
backend fecluster
balance leastconn
option httpclose
option forwardfor
server node1 localhost:80 cookie A check
backend becluster
mode http
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https if !{ ssl_fc }
server node1 localhost:8080 maxconn 32 check inter 5000
cookie node1
Tomcat works fine using ip address directly, so that's not the case. So help is needed for the host_be / becluster.
Related
when we hit https://abc.domain.com/global its able to reach the backend server but the page keeps on loading. direct links to backend servers work and able to telnet to the servers as well. for ex https://srv1:8180/D2 and https://srv2:8180/D2 works
Could anyone please suggest what is missing? this is my first handson on haproxy. Selinux is disabled. haproxy server on redhat 7.9 and haproxy version 1.7.1
Below is the configuration file
defaults
mode http
log global
option httplog
#option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 10m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
stats auth *:*
frontend https-in
mode http
bind *:443 ssl crt /etc/pki/tls/private/haproxy.pem
# redirect scheme https if !{ ssl_fc }
acl test_host hdr(host) -i abc.domain.com
acl d2nsh path_beg -i /global
use_backend testd2nsh if test_host d2nsh
frontend http-in
bind *:80
mode http
option httplog
##
acl test_host hdr(host) -i abc.domain.com
##
acl d2nsh path_beg -i /global
##
##
backend testd2nsh
mode http
balance roundrobin
option httpclose
option forwardfor
cookie JSESSIONID prefix nocache
reqrep ^([^\ :]*)\ /global/(.*) \1\ /D2/\2
server srv1_8180 srv1:8180 ssl verify none check cookie s1
server srv1_8190 srv1:8190 ssl verify none check cookie s2
server srv2_8180 srv2:8180 ssl verify none check cookie s3
server srv2_8190 srv2:8190 ssl verify none check cookie s4
##
Which version of HAProxy do your use?
haproxy -vv
Just a wild guess but on the srv*:8180 does not exist the /global URL and your get a redirect to https://srv*:8180/D2
If this is the case then try to set the path in the backend.
http-request set-path
backend testd2nsh
# other configs
http-request set-path /D2
# rest of the config
Some of servers and applications can be configured to know that they run behind a reverse Proxy and adopt the redirects like the tomcat
So I'm having an issue with HAProxy stripping the authorization header from from my call when redirecting to a separate URL. Specifically, I want to hit an AWS lambda, based on the URL path.
subdomain.domain/mo/api should be routed to the lambda, and it is based on this configuration, but I receive this response back from the lambda (using postman):
{
"message": "Missing Authentication Token"
}
hitting the lambda url (bypassing HAProxy) works as expected, all headers are exactly the same.
Proxy config:
global
log /dev/log local0
log /dev/log local1 notice
maxconn 20000
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
monitor-uri /index.html
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http
bind *:80
#Defining ACL based on a string in URI
acl dm_in_uri path_sub dm
acl mo_in_uri path_sub mo
acl lab_host hdr(host) -i subdomain.domain.com
reqadd X-Forwarded-Proto:\ http
#Special route which matches both hostname and string acl
use_backend lab_mo_api if lab_host mo_in_uri api_in_uri
use_backend lab_portal if lab_host
frontend https
bind *:443 ssl crt /etc/ssl/<blah>.pem
#Defining ACL based on a string in URI
acl api_in_uri path_sub api
acl dm_in_uri path_sub dm
acl mo_in_uri path_sub mo
acl lab_host hdr(host) -i subdomain.domain.com
reqadd X-Forwarded-Proto:\ https
#Special route which matches both hostname and string acl
use_backend lab_mo_api if lab_host mo_in_uri api_in_uri
use_backend lab_portal if lab_host
backend lab_mo_api
reqrep (.*)\/mo\/api(\/.*) \1\ /lab\/
redirect prefix https://<aws_lambda_url> code 301
I have a problem where sometimes HaProxy chooses the wrong SSL certificate. The scenario is this, I have 3 domains:
domain1.com
domain2.com
domain3.com
Each domain goes to the same backend, all ssl termination happens on the load balancer. Also each domain has it owns pem file in the designated pem folder.
Sometimes domain2.com will try to use domain1.com certificate, and same for the other domains. A simple refresh fixes it but it shouldn't be. Here is my config:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 10048
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option forwardfor
option http-server-close
option httplog
option dontlognull
timeout connect 5000
timeout client 2000000
timeout server 2000000
frontend http_front
bind *:80
stats uri /haproxy?stats
reqadd X-Forwarded-Proto:\ http
default_backend http_back
frontend www-https
bind *:443 ssl crt /etc/ssl/pems/ #All PEMs here, in seperate files
reqadd X-Forwarded-Proto:\ https
default_backend http_back
backend http_back
redirect scheme https if !{ ssl_fc }
balance roundrobin
server sprout1 x.x.x.x.:80 check
What am I missing in my config?
I have a Problem with my HaProxy
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 2048
tune.ssl.default-dh-param 2048
# Default SSL material locations
#ca-base /etc/haprorxy/certs/ca_bundle.crt
#crt-base /etc/haproxy/certs/certificate.crt
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
#ssl-default-bind-options no-sslv3
defaults
log global
mode tcp
option httplog
option dontlognull
option forwardfor
option http-server-close
retries 3
option redispatch
timeout connect 5s
timeout client 5s
timeout server 5s
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http_front
bind *:80
reqadd X-Forwarded-Proto:\ http
stats uri /haproxy?stats
default_backend wp7.xxxx.com
stats auth admin:test
frontend https_front
mode tcp
bind *:443 ssl crt /etc/haproxy/certs/wp7.xxxxx.com.pem
reqadd X-Forwarded-Proto:\ https
default_backend wp7.xxxxxxx.com
stats uri /haproxy?stats
stats auth admin:test
backend wp7.xxxx.com
redirect scheme https if !{ ssl_fc }
option httpclose
option forwardfor
balance roundrobin
server Backend Backend_IP:80 check
#server rproxy02 xx.xx.xxx.xx:443 check
But the Website doesn`t look like how it should on https: https://www.pic-upload.de/view-32841877/Untitled.png.html
This is how it should look like: https://www.pic-upload.de/view-32841910/Untitled.png.html
The Website should run a Wordpress installation. When I go through port 80 (http) everything is ok, but If I go through Port 443 (https like on the picture), it looks like in the Picture.
Can someone help or have an idea?
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
try these lines in frontend
https://serversforhackers.com/c/using-ssl-certificates-with-haproxy
Got same issue and resolved by this link. Hope this could help.
I have HAProxy as a load balancer and dynamic redirector to my webserver and websocket server so that they can run over the same port. My web socket server requires SSL temination at ha proxy.
I want to configure HAProxy so that http traffic is redirected to https but websockets work on bot port 80 and 443 (ws and wss). Is this possible?
My current config is:
global
maxconn 50000
user root
group root
stats socket /tmp/haproxy
node lb1
nbproc 1
#daemon
#debug
defaults
log global
retries 3
option dontlog-normal
timeout connect 10000ms
timeout client 10000ms
timeout server 10000ms
timeout tunnel 24h
maxconn 50000
mode http
option http-server-close
backend wwwServers
mode http
balance roundrobin
option httpchk HEAD / HTTP/1.1
server www1 127.0.0.1:1138 check
backend wsServers
server ws1 127.0.0.1:1137 check
frontend secured
bind :443 ssl crt /cert/cert.pem
reqadd X-Forwarded-Proto:\ https
default_backend wwwServers
frontend unsecured
bind :80
acl is_websocket hdr(Upgrade) -i WebSocket
use_backend wsServers if is_websocket
redirect scheme https if !{ ssl_fc }
default_backend wwwServers
but this redirects the websocket connection before the upgrade because ha proxy does the following when I run it:
a 'redirect' rule placed after a 'use_backend' rule will still be processed before.
Any help would be appreciated.
Thanks,
The solution was as follows:
frontend secured
bind :443 ssl crt /path/to/certificate.pem
reqadd X-Forwarded-Proto:\ https
acl is_websocket hdr(Upgrade) -i WebSocket
use_backend wsServers if is_websocket
default_backend wwwServers
frontend unsecured
bind :81,:80
acl is_websocket hdr(Upgrade) -i WebSocket
redirect scheme https if !{ ssl_fc } !is_websocket
use_backend wsServers if is_websocket
default_backend wwwServers
if a non ssl non websocket connection is made it is redirected.