I am new to Haproxy, and would like to learn how I go about writing the conf file to proxy to a secure website.
I currently am testing from localhost. What I basically want to do is if I enter localhost on my browser, it should proxy it to www.site24x7.com. The site has a SSL certificate. On following the guides, it all always ends in a 400 Bad request. My haproxy.cfg is below.
This is not a complete haproxy.cfg. I am not sure what all to put here. Since site24x7 has its own SSL certificate, do I provide my own cert? (can use a self-signed cert for now). I tried SSL Pass Through with Haproxy as well instead of SSL termination, but similar 400 Bad request.
frontend www-http
bind *:80
reqadd X-Forwarded-Proto:\ http
default_backend www-backend
backend www-backend
#redirect scheme https if !{ ssl_fc } #dont know about this
server www-1 www.site24x7.com:443 check
server www-1 www.site24x7.com:443 check ssl verify none
Either
curl http://127.0.0.1 -H "Host: www.site24x7.com"
or
mode http
http-request set-header Host www.site24x7.com
server www-1 www.site24x7.com:443 check ssl verify none
Related
I need to deploy different apps on the same domain, thus I've set up the backend to rewrite URL with reqrep ^([^\ ]*\ /)appA[/]?(.*) \1\2. It works when I only deploy the HTTP or HTTPS version of the app.
However, if I try to redirect all HTTP traffic to HTTPS, it doesn't work. The problem is that HAProxy has already rewritten the URL and stripped out the /appA part before the redirection. Thus if I try to visit http://myserver.com/appA, the page https://myserver.com will eventually be requested instead of https://myserver.com/appA.
I can't put the redirect rule before the reqrep rule as it seems that HAProxy must process all the rewrites before the redirects.
What can I do to make my configuration work as I intended? This should be obvious but I can't seem to find a relevant answer online.
My configuration:
frontend http_front
bind *:80
reqadd X-Forwarded-Proto:\ http
acl appA_url url_beg /appA
use_backend appA if appA_url
frontend https_front
bind *:443 ssl crt /etc/haproxy/certs/myserver.com.pem
reqadd X-Forwarded-Proto:\ https
acl appA_url url_beg /appA
use_backend appA if appA_url
backend appA
reqrep ^([^\ ]*\ /)appA[/]?(.*) \1\2
redirect scheme https if !{ ssl_fc }
balance roundrobin
server web1 127.0.0.1:5001 check
Use http-request directives, which are processed in declararion order. They are also newer features, and usually cleaner, more intuitive, more flexible, and more internally efficient than reqxxx.
http-request redirect scheme https if ! { ssl_fc }
http-request set-path %[path,regsub(^/appA/,/)]
See http-request. Requires 1.6 or later, where the regsub() converter is available.
I am working with a Golang app and Caddy as the HTTP server. The golang app rejects every http connection, it only can be used over HTTPS. This app is a kind of API/service that is consumed by other apps. As, it requires HTTPS I installed Caddy so I can take advantage of the automatic SSL certificate and use proxy to switch between the ports.
The application is running in the port 9000, so, the consumers will only writte mysite.com and caddy should be in charge of redirect that petitions to the port 9000 but maintaining the HTTPS. The configuration in caddy for the site is:
mysite.com {
proxy / :9000 {
max_fails 1
}
log logfile
}
Nevertheless, it seems like when the proxy is made the HTTPS is lost. I checked the logs for the application (no the logs of caddy) and I get this:
http: TLS handshake error from xxx.xxx.xxx.xxx:xxxx: tls: oversized record received with length 21536
So, based in this error, to me looks like the HTTP proxy made by caddy is losing the HTTPS. What can I do?
From the caddy docs
to is the destination endpoint to proxy to. At least one is required,
but multiple may be specified. If a scheme (http/https) is not
specified, http is used. Unix sockets may also be used by prefixing
"unix:".
So maybe it is sending http requests to the proxied https endpoint.
Does
mysite.com {
proxy / https://localhost:9000 {
max_fails 1
}
log logfile
}
fix it?
If that is the case, you may not strictly need your app on :9000 to listen https. It may simplify your deployment or cert management to just have it listen http and have caddy manage all the certs.
Here we are using haproxy for the redirection of HTTP to https, at backend we use the gateway. here gateway having already ssl certificate we redirected to it directly through HAProxy.
We have 2 URL one hit on port 80 and 2nd hit on port 8080 what are the possible conditions required for that have tried all possibilities. without using SSL it's working but regarding to the SSL it can't work it only work on 443 and its only applicable to the port 80 not getting assign to others.
I am using dedicated servers to host 4 domains and 3 subdomains on Centos & WHM. Recently planned to use HAProxy for load balancing between them.
What I am trying to achieve is to redirect all the traffic of one particular domain to https using HAProxy configuration on frontend because I am terminating the SSL of that one particular domain at HAProxy.
here's what i have used
frontend www-https
bind haproxy_www_public_IP:443 ssl crt /etc/ssl/private/example.com.pem
reqadd X-Forwarded-Proto:\ https
default_backend www-backend
backend www-backend
redirect scheme https if !{ ssl_fc }
server www-1 www_1_private_IP:80 check
server www-2 www_2_private_IP:80 check
I have googled for solution but most of the solution available are telling to redirect all the traffic to https or http.
If I understand correctly, you want one domain (in the configuration below it is httpsonlydomain.com) to only be accessible by https and all http requests to that domain get forwarded onto https. For the other domains they can work by either http or https with no forwarding. Finally I have assume that all four domains (including httpsonlydomain.com) will use the www-backend backend.
If that is the case then this should do the trick:
frontend www-http
bind haproxy_www_public_IP:80
acl https_domain hdr(host) -i httpsonlydomain.com
redirect scheme https if !{ ssl_fc } https_domain
default_backend www-backend
frontend www-https
bind haproxy_www_public_IP:443 ssl crt /etc/ssl/private/example.com.pem
default_backend www-backend
backend www-backend
server www-1 www_1_private_IP:80 check
server www-2 www_2_private_IP:80 check
Hope that helps.
First of all I want to make clear that i am not talking about accessing content which is on origin servers that deliver using https which can be done using the module mod_proxy_connect.
What I want is a secured connection between the client and the proxy, also when the origin that is requested actually is served by an unsecured standard http server.
I am using apache 2.2 and also would like to make this possible with apache if that works.
I sniffed some requests using wireshark and noted the following:
A usual http of the url http://example.com/file looksl ike this:
on a connection to the origin server:
GET /file HTTP 1.1
Host: example.com
Note that the host information is stripped from the actual request and the host header is supplied instead (which can be handled server side in named virtual hosts).
When the request goes through a proxy server it looks slightly different:
on a connection to the proxy server:
GET http://example.com/file HTTP 1.1
Host: example.com
Note that the request line now actually contains the full url including protocol and hostname.
The host header is probably redundant, bus if I read the RFC correctly it is required by HTTP 1.1.
So I think about setting up an apache webserver listening on port 443, enable a virtualhost with ssl engine and certificates up and do not bind it to any hostname.
I think that should get apache to talk ssl, but however the certificates common name will not match the host specfied in the connect line to the proxys server ip adress.
Is what I want to to even possible with current standards and if so how can I do it?
Yes of course, that's what HTTPS proxy is.
Client connects to proxy over SSL, sends commands to proxy in text.
It is also possible to use HTTP CONNECT to establish HTTPS connection "inside" the SSL connection to HTTPS proxy, though not all clients support this:
HTTPS connection over HTTPS proxy
client proxy server
ssl \-------/ ssl
connect---------200 OK
ssl \---------------------------/ ssl
data-------------------------------data
/---------------------------\
/-------\
HTTP connection over HTTPS proxy
client proxy server
ssl \-------/ ssl
GET http://server/ ->
GET /
Host: server ->
<---------OK, data
<--------------OK, data
/-------\