The reverse proxy of mydomain.com is working, but the subdomain fela.mydomain.com seems to be randomly picking between 172.17.0.59:8080 and 172.17.0.50:8080.
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 10000
timeout server 10000
listen stats
# Uncomment "disabeled" below to disable the stats page :
# disabled
bind :1988
stats uri /
frontend http-in
bind *:80
# Define hosts
acl host_fela hdr(host) -i fela.mydomain.com
acl host_mydomain hdr(host) -i mydomain.com
## figure out which one to use
use_backend mydomain_cluster if host_mydomain
use_backend fela_cluster if host_fela
backend mydomain_cluster
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server node1 172.17.0.50:8080 cookie A check
backend fela_cluster
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server node1 172.17.0.59:8080 cookie A check
If your intention is to strictly forward all the traffic targeted at fela.mydomain.com to 172.17.0.59:8080 use a different name for that cookie.
server node1 172.17.0.59:8080 cookie B check
Related
when we hit https://abc.domain.com/global its able to reach the backend server but the page keeps on loading. direct links to backend servers work and able to telnet to the servers as well. for ex https://srv1:8180/D2 and https://srv2:8180/D2 works
Could anyone please suggest what is missing? this is my first handson on haproxy. Selinux is disabled. haproxy server on redhat 7.9 and haproxy version 1.7.1
Below is the configuration file
defaults
mode http
log global
option httplog
#option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 10m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
stats auth *:*
frontend https-in
mode http
bind *:443 ssl crt /etc/pki/tls/private/haproxy.pem
# redirect scheme https if !{ ssl_fc }
acl test_host hdr(host) -i abc.domain.com
acl d2nsh path_beg -i /global
use_backend testd2nsh if test_host d2nsh
frontend http-in
bind *:80
mode http
option httplog
##
acl test_host hdr(host) -i abc.domain.com
##
acl d2nsh path_beg -i /global
##
##
backend testd2nsh
mode http
balance roundrobin
option httpclose
option forwardfor
cookie JSESSIONID prefix nocache
reqrep ^([^\ :]*)\ /global/(.*) \1\ /D2/\2
server srv1_8180 srv1:8180 ssl verify none check cookie s1
server srv1_8190 srv1:8190 ssl verify none check cookie s2
server srv2_8180 srv2:8180 ssl verify none check cookie s3
server srv2_8190 srv2:8190 ssl verify none check cookie s4
##
Which version of HAProxy do your use?
haproxy -vv
Just a wild guess but on the srv*:8180 does not exist the /global URL and your get a redirect to https://srv*:8180/D2
If this is the case then try to set the path in the backend.
http-request set-path
backend testd2nsh
# other configs
http-request set-path /D2
# rest of the config
Some of servers and applications can be configured to know that they run behind a reverse Proxy and adopt the redirects like the tomcat
I have one server containing FE app and BE for it. FE listens port 80 and BE is deployed to Tomcat listening default port 8080. HAProxy is used to listen port 443 / handle ssl. Proxying to FE / port 80 works fine, but not to BE / Tomcat listening port 8080. Here's the configuration I'm using:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
maxconn 3072
tune.ssl.default-dh-param 2048
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/ssl.key
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
#ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httpchk
option httplog
option dontlognull
option forwardfor
option http-server-close
option http-keep-alive
option abortonclose
option redispatch
retries 3
maxconn 3072
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
listen stats
bind 0.0.0.0:9000
mode http
frontend http-in
bind *:443 ssl crt /etc/ssl/private/bundle.pem
http-request set-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https if !{ ssl_fc }
# Define hosts
acl host_fe hdr(host) -i fe.domain.com
acl host_be hdr(host) -i be.domain.com
## figure out which one to use
use_backend fecluster if host_fe
use_backend becluster if host_be
backend fecluster
balance leastconn
option httpclose
option forwardfor
server node1 localhost:80 cookie A check
backend becluster
mode http
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https if !{ ssl_fc }
server node1 localhost:8080 maxconn 32 check inter 5000
cookie node1
Tomcat works fine using ip address directly, so that's not the case. So help is needed for the host_be / becluster.
I have haproxy setup in a 6 server node web application setup. 2 front end servers. 2 web servers. 2 database servers.
I recently added ssl certificates and redirection for all the sites running on the servers. We run Drupal multiside setup. So each site has its own apache config and conf file on the web servers.
The setup seems to work but what happens is SSL redirection fails after a certain amount of time (usually 1 few hours) and I have to keep restarting haproxy to fix it. I suspect either its a setup issues with my haproxy or I am going about this the wrong way.
Below is my haproxy config file with accounts and ip's munged.
Anyone able to give me any suggestions on what I am doing wrong?
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults
mode tcp
log global
option httplog
option dontlognull
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend web-front *:80
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js
option abortonclose
option http-keep-alive
default_backend web
frontend web-front-ssl *:443
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js
option abortonclose
option http-keep-alive
default_backend web-ssl
listen stats *:9000
maxconn 500
mode http
log global
stats enable
stats refresh 30s
stats hide-version
stats show-node
stats uri /stats
stats auth ******:*******
backend web
balance roundrobin
stick-table type ip size 1m expire 1h
stick on src
server web01 10.10.10.17:80 check maxconn 1000
server web02 10.10.10.18:80 check maxconn 1000
option abortonclose
option http-keep-alive
backend web-ssl
balance roundrobin
stick-table type ip size 1m expire 1h
stick on src
server web01 10.10.10.17:443 check maxconn 1000
server web02 10.10.10.18:443 check maxconn 1000
option abortonclose
option http-keep-alive
It is not clear what you mean by "ssl redirection fails", but since you are saying that this happens after 1 hour, then this is probably about the "expire 1h" in your configuration.
Try to adjust that parameter accordingly.
I want to redirect https://myserver/myapplication/ to https://myserver.domain.com/myapplication/ using haproxy.
This is my haproxy configuration
frontend LB_http
bind 10.123.122.112:80
reqadd X-Forwarded-Proto:\ http
default_backend LB
frontend LB_https
bind 10.123.122.112:443 ssl crt /usr/local/apache2/conf/server.pem
reqadd X-Forwarded-Proto:\ https
default_backend LB
backend LB
redirect scheme https if !{ ssl_fc }
mode http
stats enable
stats hide-version
stats uri /stats
stats realm Haproxy\ Statistics
stats auth haproxy:redhat # Credentials for HAProxy Statistic report page.
balance roundrobin # Load balancing will work in round-robin process.
option httpchk
option httpclose
option forwardfor
server myserver.domain.com myserver.domain.com:80 # backend server.
I have edited the config file by adding the below two lines
acl no_domain hdr(host) -i myserver
http-request redirect code 301 prefix %[hdr(host)].domain.com%[path] if no_domain
But now, when I try
myserver/myapplication/
the url is redirecting multiple times I guess. It is redirecting me to very long url like this
https://myserver/myapplication/myserver.domain.com/myapplication/myserver.domain.com/myapplication/myserver.domain.com/myapplication/myserver.domain.com/myapplication/myserver.domain.com/myapplication/myserver.domain.com/myapplication/
What am I missing?
I have modified the code as below and it started working as expected
frontend LB_http
bind 10.123.122.112:80
reqadd X-Forwarded-Proto:\ http
default_backend LB
frontend LB_https
bind 10.123.122.112:443 ssl crt /usr/local/apache2/conf/server.pem
reqadd X-Forwarded-Proto:\ https
default_backend LB
backend LB
acl no_domain hdr(host) -i myserver
http-request redirect code 301 prefix https:\/\/myserver.domain.com if no_domain
redirect scheme https if !{ ssl_fc }
mode http
stats enable
stats hide-version
stats uri /stats
stats realm Haproxy\ Statistics
stats auth haproxy:redhat # Credentials for HAProxy Statistic report page.
balance roundrobin # Load balancing will work in round-robin process.
option httpchk
option httpclose
option forwardfor
server myserver.domain.com myserver.domain.com:80 # backend server.
Now when I give
myserver/myapplication
it redirects to
https://myserver.domain.com/myapplication
I have a problem where sometimes HaProxy chooses the wrong SSL certificate. The scenario is this, I have 3 domains:
domain1.com
domain2.com
domain3.com
Each domain goes to the same backend, all ssl termination happens on the load balancer. Also each domain has it owns pem file in the designated pem folder.
Sometimes domain2.com will try to use domain1.com certificate, and same for the other domains. A simple refresh fixes it but it shouldn't be. Here is my config:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 10048
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option forwardfor
option http-server-close
option httplog
option dontlognull
timeout connect 5000
timeout client 2000000
timeout server 2000000
frontend http_front
bind *:80
stats uri /haproxy?stats
reqadd X-Forwarded-Proto:\ http
default_backend http_back
frontend www-https
bind *:443 ssl crt /etc/ssl/pems/ #All PEMs here, in seperate files
reqadd X-Forwarded-Proto:\ https
default_backend http_back
backend http_back
redirect scheme https if !{ ssl_fc }
balance roundrobin
server sprout1 x.x.x.x.:80 check
What am I missing in my config?