haproxy - how to do virtualhost and https forwarding? - ssl

Can anyone please advise how to do this with haproxy?
I have this haproxy setup, where i get https request and redirect it to localhost 8888.
but now i have more request i need to apply virtual host
https://python.stackoverflow.com = goes to as it is http://localhost:8888
https://cplusplus.stackoverflow.com = goes to /var/www/html/cgi-project
https://chat.stackoverflow.com = goes to /var/www/html/microchat
https://zendframework.stackoverflow.com = goes to /var/www/html/zf2/public
global
log 127.0.0.1 local0 debug
maxconn 8000
user haproxy
group haproxy
defaults
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
mode http
maxconn 5000
timeout connect 5s
timeout client 30s
timeout server 30s
timeout tunnel 12h
frontend www
bind :8881
option forwardfor
redirect scheme https if !{ ssl_fc }
frontend lb
bind :8882 ssl crt /etc/stunnel/all.pem ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA
option forwardfor
reqadd X-Forwarded-Proto:\ https
default_backend api
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
acl is_api hdr_beg(Host) -i api
use_backend ws if is_websocket
use_backend api if is_api
backend api
balance roundrobin
server service 127.0.0.1:8888 weight 1 maxconn 2500 check
backend ws
balance roundrobin
server service 127.0.0.1:8888 weight 1 maxconn 2500 check

global
log 127.0.0.1 local0 debug
maxconn 8000
user haproxy
group haproxy
defaults
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
mode http
maxconn 5000
timeout connect 5s
timeout client 30s
timeout server 30s
timeout tunnel 12h
frontend www
bind :8881
option forwardfor
redirect scheme https if !{ ssl_fc }
frontend lb
bind :443 ssl crt /etc/stunnel/all.pem ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA
option forwardfor
reqadd X-Forwarded-Proto:\ https
default_backend api
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
acl is_api hdr_beg(Host) -i api
acl subdomain hdr(host) subdomain.domain.com
use_backend ws if is_websocket
use_backend api if is_api
use_backend sub if subdomain
backend api
balance roundrobin
server service 127.0.0.1:8888 weight 1 maxconn 2500 check
backend ws
balance roundrobin
server service 127.0.0.1:8888 weight 1 maxconn 2500 check
backend sub
balance roundrobin
server service 127.0.0.1:3000 weight 1 maxconn 2500 check

Related

HAProxy stuck on ssl websocket (parse livequery)

My use-case is use HAProxy as ssl termination on Parse Server & Parse LiveQuery. I'm stuck on haproxy config because it can't connect websocket properly, and it's work only when connect to local (no ssl termination). Tested on iOS (react native app).
This is my haproxy config
global
maxconn 50000
log 127.0.0.1 local0
user haproxy
chroot /usr/share/haproxy
pidfile /run/haproxy.pid
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3
daemon
defaults
log global
retries 3
mode http
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
stats auth xx:xx
option forwardfor
option http-server-close
option httplog
option dontlognull
frontend xxx_web
bind *:443 ssl crt /etc/haproxy/certs/xxx.com.pem
acl host_api_xxx hdr(host) -i api.xxx.com
acl is_websocket hdr(Upgrade) -i websocket
reqadd X-Forwarded-Port:\ 443
reqadd X-Forwarded-Proto:\ https
reqadd X-Forwarded-Scheme:\ https
redirect scheme https if !{ ssl_fc }
use_backend ws_xxx if is_websocket
use_backend api_xxx if host_api_xxx
backend ws_xxx
server ws_xxx 127.0.0.1:7777 check
backend api_xxx
balance roundrobin
reqadd X-Forwarded-Port:\ 443
reqadd X-Forwarded-Proto:\ https
reqadd X-Forwarded-Scheme:\ https
server api_xxx 127.0.0.1:7777 check # ssl verify none
Changing the mode to "mode tcp" should help.

HTTPS URL Redirecting not working with HaProxy

I have two domain that each support HTTP and HTTPS - I want to redirect them to the proper ports / servers. The following config works for HTTP but not HTTPS
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
chroot /var/lib/haproxy
user haproxy
group haproxy
# daemon
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in
bind *:80
acl ui hdr(host) -i app.XYZ.com
acl api hdr(host) -i api.XYZ.com
use_backend apiserverHTTP if api
use_backend uiserverHTTP if ui
frontend https-in
bind *:443
acl ui hdr(host) -i app.XYZ.com
acl api hdr(host) -i api.XYZ.com
use_backend apiserverHTTPS if api
use_backend uiserverHTTPS if ui
backend apiserverHTTP
option tcplog
balance leastconn
server apiserver-2 10.132.62.240:31000 check
server apiserver-1 10.132.62.242:31000 check
backend apiserverHTTPS
option tcplog
balance leastconn
server apiserverS-2 10.132.62.240:31001 check
server apiserverS-1 10.132.62.242:31001 check
backend uiserverHTTP
option tcplog
balance leastconn
server uiserver-1 10.132.62.240:31002 check
backend uiserverHTTPS
option tcplog
balance leastconn
server uiserverS-1 10.132.62.240:31003 check
HTTP redirect without a problem - HTTPS does no redirection of any sort. Just fails or falls to the default if set.
Try this:
frontend http-in
bind *:80
bind *:443
acl ui hdr(host) -i app.XYZ.com
acl api hdr(host) -i api.XYZ.com
acl http_80 dst_port 80
acl https_443 dst_port 443
use_backend apiserverHTTP if api http_80
use_backend uiserverHTTP if ui http_80
use_backend apiserverHTTPS if api https_443
use_backend uiserverHTTPS if ui https_443
backend apiserverHTTP
option tcplog
balance leastconn
server apiserver-2 10.132.62.240:31000 check
server apiserver-1 10.132.62.242:31000 check
backend apiserverHTTPS
option tcplog
balance leastconn
server apiserverS-2 10.132.62.240:31001 check
server apiserverS-1 10.132.62.242:31001 check
backend uiserverHTTP
option tcplog
balance leastconn
server uiserver-1 10.132.62.240:31002 check
backend uiserverHTTPS
option tcplog
balance leastconn
server uiserverS-1 10.132.62.240:31003 check

haproxy - how can i transfer the https traffic?

I am running in same server on port 80 apache server as virtual host and another TCP server for realtime on port 8888.
Using haproxy (to bind :443 ssl crt all.pem ciphers ECDHE) i am able to make port 8888 work but how can i now transfer the https://www.stackoverflow.com and https://www.google.com traffic to apache port 80?
backend api
balance roundrobin
server service 127.0.0.1:8888 weight 1 maxconn 2500 check
backend www_stackoverflow_com
balance roundrobin
cookie SERVERID insert nocache indirect
option httpchk HEAD /check.txt HTTP/1.0
option httpclose
option forwardfor
server Server1 www.stackoverflow.com:80 cookie Server1
server Server2 10.1.1.2:80 cookie Server2
backend www_google_com
balance roundrobin
cookie SERVERID insert nocache indirect
option httpchk HEAD /check.txt HTTP/1.0
option httpclose
option forwardfor
server Server1 www.google.com:80 cookie Server1
server Server2 192.168.5.2:80 cookie Server2
You can use the following. Please someone update this version to have it optimise.
##############################################
# Global
##############################################
global
log 127.0.0.1 local0 debug
#log 127.0.0.1 local2 info
maxconn 8000
user haproxy
group haproxy
##############################################
# Defaults
##############################################
defaults
log global
option httplog
option dontlognull
option http-server-close
option redispatch
retries 3
mode http
maxconn 5000
timeout connect 5s
timeout client 30s
timeout server 30s
timeout tunnel 12h
##############################################
# Frontend - receive http transfer as https
# It creates a frontend that listens on port 8881,
# sets x-forwarded-for and
# redirects all requests on HTTP to their equivalent on HTTPS
# 30 defines a frontend named www,
# 31 has it listen on port 8881,
# 32 has it insert x-forwarded-for: <client ip>,
# 33 redirects to the same location using https if the connection is not ssl
##############################################
frontend www
bind :8881
option forwardfor
redirect scheme https if !{ ssl_fc }
##############################################
# Frontend
##############################################
frontend lb
##############################################
# Chiphers:
# -------------------------------------------
# ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-
# AES256-GCM-SHA384:ECDHE-ECDSA-AES256-
# SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-
# AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-
# SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-
# AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-
# RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-
# RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA
#
##############################################
bind :443 ssl crt /root/all.pem ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA
option forwardfor
reqadd X-Forwarded-Proto:\ https
default_backend api
#acl is_websocket hdr(Upgrade) -i WebSocket
acl is_api hdr_beg(Host) -i api
acl is_freeswitch hdr(Host) -i ws.A.com
acl is_turn hdr(Host) -i turn.A.com
acl is_realtime hdr(Host) -i realtime.A.com
acl is_interpretation hdr(Host) -i B.A.com
acl is_B hdr(Host) -i B.A.com
acl is_talk hdr(Host) -i talk.A.com
acl is_italk hdr(Host) -i italk.A.com
acl is_video hdr(Host) -i video.A.com
acl is_js hdr(Host) -i js.A.com
acl is_sip hdr(Host) -i sip.A.com
acl is_demo hdr(Host) -i demo.A.com
acl is_chat hdr(Host) -i chat.A.com
acl is_vnc hdr(Host) -i vnc.A.com
use_backend turn if is_turn
use_backend api if is_api
use_backend realtime if is_realtime
use_backend interpretation if is_interpretation
use_backend B if is_B
use_backend freeswitch if is_freeswitch
use_backend talk if is_talk
use_backend talk if is_italk
use_backend talk if is_video
use_backend js if is_js
use_backend js if is_sip
use_backend js if is_demo
use_backend chat if is_chat
use_backend vnc if is_vnc
##############################################
# Backend - TCP PORTS
# 8888 = signal master
# 3000 = realtime
# 3001 = interpretation
# 3002 = ??
# 3003 = B
# 5066 = freeswitch
##############################################
backend api
balance roundrobin
server service 127.0.0.1:8888 weight 1 maxconn 2500 check
backend turn
balance roundrobin
server service 127.0.0.1:8888 weight 1 maxconn 2500 check
backend realtime
balance roundrobin
server service 127.0.0.1:3000 weight 1 maxconn 2500 check
backend interpretation
balance roundrobin
server service 127.0.0.1:3001 weight 1 maxconn 2500 check
backend B
balance roundrobin
server service 127.0.0.1:3003 weight 1 maxconn 2500 check
backend freeswitch
balance roundrobin
server service 127.0.0.1:5066 weight 1 maxconn 2500 check
backend talk
mode http
balance roundrobin
#option httpclose
option forceclose
server service talk.A.com:80 weight 1 maxconn 2500 check
backend js
balance roundrobin
mode http
#option httpclose
option forceclose
server service js.A.com:80 weight 1 maxconn 2500 check
backend chat
balance roundrobin
mode http
#option httpclose
option forceclose
server service chat.A.com:80 weight 1 maxconn 2500 check
backend vnc
balance roundrobin
mode http
#option httpclose
option forceclose
server service vnc.A.com:80 weight 1 maxconn 2500 check

HAProxy wildcard SSL backend forward issue

I am using HAProxy 1.5-dev21. I have purchased a wildcard SSL (for example: *.foo.com).
I want all traffic from Internet port 443 will redirect to internal network according the domain name, backend servers are many web server running HTTP (for example: abc.foo.com:443 -> 192.168.10.10:80 , edf.foo.com:443 -> 192.168.10.11:80)
However, whatever the incoming domain name, HAProxy passed all traffic to default backend.
My config is working well if I not using SSL
The following is my simplified config file:
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 4096
defaults
log global
mode http
option tcplog
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend https-in
mode tcp
bind :443 ssl crt /etc/haproxy/foo.com.pem
use_backend abc if { hdr_end(host) -i abc.foo.com }
use_backend def if { hdr_end(host) -i def.foo.com }
default_backend application-backend
backend abc
mode tcp
server Server1 192.168.10.10:80
backend def
mode tcp
server Server2 192.168.10.11:80
backend application-backend
mode tcp
server server3 192.168.10.12:80
You're using tcp mode while trying to access HTTP content.
Please turn on 'mode http' and it should work.
Baptiste
When you have of SSL, you can't use hdr_end. Here is how i do it:
frontend domain.com
bind 10.50.81.131:443 ssl crt domain.com ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP
bind 10.50.81.131:80
mode http
maxconn 300
option httpclose
option forwardfor
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
use_backend first_farm if { ssl_fc_sni sub1.domain.com }
use_backend second_farm if { ssl_fc_sni sub2.domain.com }
default_backend default_farm

Unable to start domain with https

I am working on haproxy. I want to make my site open with http. I have purchased ssl certificate and install on the server.
In ha.cfg I have configured as follow :
global
tune.bufsize 32786
tune.maxrewrite 16384
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 8192
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
balance roundrobin
stats enable
stats refresh
stats uri /ssproxy_stats
stats realm Haproxy\ Statistics
stats auth haproxy:haproxy
maxconn 4000
contimeout 5000
clitimeout 50000
srvtimeout 50000
frontend http
bind *:80
acl hari path_beg /customers
acl css path_beg /assets
reqadd X-Forwarded-Proto:\ http
use_backend appointpress_app if hari
use_backend appointpress_app if css
default_backend appointpress_site
frontend https
bind *:443 ssl crt /etc/ssl/ssl.key/mydomain.crt
default_backend appointpress_site
backend appointpress_app :80
stats enable
stats auth haproxy:haproxy
cookie SERVERID insert
option httpclose
option forwardfor
server app_server ec2-elastic-domain:80 cookie haproxy_app check
backend appointpress_site :80
stats enable
stats auth haproxy:haproxy
cookie SERVERID insert
option httpclose
option forwardfor
server wordpress someip:443 cookie haproxy_site check
After running the command haproxy -f ha.cfg I am getting no error,
and when I am running url http://ec2-instance, its working fine
but while running https://ec2-instance,
I am getting error :
in chrome : Error code: ERR_SSL_PROTOCOL_ERROR
in firefox : Error code: ssl_error_rx_record_too_long
How to resolve the error
Check to make sure that your EC2 security rules allow port 443 to your running instance. A simple way to test this is to use telnet from your client:
telnet ec2-instance 443