I have an haproxy 1.4 installed and I need to configure a reverse proxy in haproxy.conf that rewrites a URL from www.somedomain.com to www.otherdomain.com/bla/ble. the configuration that I am writing is here:
acl cpol_acl hdr_dom(host) -i www.somedomain.com
use_backend cpol_srv if cpol_acl
backend cpol_srv
balance leastconn
mode http
option httplog
stick on src
stick-table type ip size 10240k expire 60m
reqirep ^([^\ :]*)\ /(.*) \1\ /bla/ble\2
reqirep ^Host:\ www.somedomain.com Host:\ www.otherdomain.com
server cpol_srv www.otherdomain.com check port 80
This is working but the URL in the browser does rewrite to www.otherdomain.com/bla/ble and that's not what I want. If I remove the line
reqirep ^([^\ :]*)\ /(.*) \1\ /bla/ble\2
I only can forward to the host www.otherdomain.com but the URL in the browser stays with www.somedomain.com.
Is there any way of doing this types of reverse proxy without rewriting the browser URL?
PS: I would do this Apache style (which works) but the machine does not have any NAT to the world outside, and can only communicate to haproxy.
Well, after a while I figured out what has to be done.
It's not sufficient to change only the request but also have to change the response back to the original requesting host. It was also made an acl to prevent repetition of the directory url part "/bla/ble". Sticking to the example above this should be done like so:
acl cpol_acl hdr_dom(host) -i www.somedomain.com
use_backend cpol_srv if cpol_acl
backend cpol_srv
balance leastconn
mode http
option httplog
stick on src
stick-table type ip size 10240k expire 60m
**acl no_redir url_beg /bla/ble/**
reqirep ^Host:\ www.somedomain.com Host:\ www.otherdomain.com
reqirep ^([^\ :]*)\ /(.*) \1\ /bla/ble\2 **if !no_redir**
**rspirep ^([^\ :]*)\ (.*)www.otherdomain.com/bla/ble/(.*) \1\ \2www.somedomain.com/\3**
server cpol_srv www.otherdomain.com check port 80
Related
when we hit https://abc.domain.com/global its able to reach the backend server but the page keeps on loading. direct links to backend servers work and able to telnet to the servers as well. for ex https://srv1:8180/D2 and https://srv2:8180/D2 works
Could anyone please suggest what is missing? this is my first handson on haproxy. Selinux is disabled. haproxy server on redhat 7.9 and haproxy version 1.7.1
Below is the configuration file
defaults
mode http
log global
option httplog
#option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 10m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
stats auth *:*
frontend https-in
mode http
bind *:443 ssl crt /etc/pki/tls/private/haproxy.pem
# redirect scheme https if !{ ssl_fc }
acl test_host hdr(host) -i abc.domain.com
acl d2nsh path_beg -i /global
use_backend testd2nsh if test_host d2nsh
frontend http-in
bind *:80
mode http
option httplog
##
acl test_host hdr(host) -i abc.domain.com
##
acl d2nsh path_beg -i /global
##
##
backend testd2nsh
mode http
balance roundrobin
option httpclose
option forwardfor
cookie JSESSIONID prefix nocache
reqrep ^([^\ :]*)\ /global/(.*) \1\ /D2/\2
server srv1_8180 srv1:8180 ssl verify none check cookie s1
server srv1_8190 srv1:8190 ssl verify none check cookie s2
server srv2_8180 srv2:8180 ssl verify none check cookie s3
server srv2_8190 srv2:8190 ssl verify none check cookie s4
##
Which version of HAProxy do your use?
haproxy -vv
Just a wild guess but on the srv*:8180 does not exist the /global URL and your get a redirect to https://srv*:8180/D2
If this is the case then try to set the path in the backend.
http-request set-path
backend testd2nsh
# other configs
http-request set-path /D2
# rest of the config
Some of servers and applications can be configured to know that they run behind a reverse Proxy and adopt the redirects like the tomcat
I am trying to forward client/source IP to my backend server using x-forwarded-for. I am using libwebsockets and the client IP is seen as 127.0.0.1.
I have tried looked at and tried various solutions and none have worked for me.
haproxy -vw
HA-Proxy version 1.6.3 2015/12/25
frontend firstbalance
bind *:443 ssl crt /etc/ssl/xip.io/temp/cert.pem
mode http
option forwardfor
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
capture request header X-Forwarded-For len 50
backend lws_traffic
balance roundrobin
mode http
option forwardfor
server lws00 127.0.0.1:8000 check
just try with this config :
frontend haproxynode
bind *:80
mode http
default_backend backendnodes
backend backendnodes
balance roundrobin
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server node1 backendserver:8080 check
I want to redirect https://myserver/myapplication/ to https://myserver.domain.com/myapplication/ using haproxy.
This is my haproxy configuration
frontend LB_http
bind 10.123.122.112:80
reqadd X-Forwarded-Proto:\ http
default_backend LB
frontend LB_https
bind 10.123.122.112:443 ssl crt /usr/local/apache2/conf/server.pem
reqadd X-Forwarded-Proto:\ https
default_backend LB
backend LB
redirect scheme https if !{ ssl_fc }
mode http
stats enable
stats hide-version
stats uri /stats
stats realm Haproxy\ Statistics
stats auth haproxy:redhat # Credentials for HAProxy Statistic report page.
balance roundrobin # Load balancing will work in round-robin process.
option httpchk
option httpclose
option forwardfor
server myserver.domain.com myserver.domain.com:80 # backend server.
I have edited the config file by adding the below two lines
acl no_domain hdr(host) -i myserver
http-request redirect code 301 prefix %[hdr(host)].domain.com%[path] if no_domain
But now, when I try
myserver/myapplication/
the url is redirecting multiple times I guess. It is redirecting me to very long url like this
https://myserver/myapplication/myserver.domain.com/myapplication/myserver.domain.com/myapplication/myserver.domain.com/myapplication/myserver.domain.com/myapplication/myserver.domain.com/myapplication/myserver.domain.com/myapplication/
What am I missing?
I have modified the code as below and it started working as expected
frontend LB_http
bind 10.123.122.112:80
reqadd X-Forwarded-Proto:\ http
default_backend LB
frontend LB_https
bind 10.123.122.112:443 ssl crt /usr/local/apache2/conf/server.pem
reqadd X-Forwarded-Proto:\ https
default_backend LB
backend LB
acl no_domain hdr(host) -i myserver
http-request redirect code 301 prefix https:\/\/myserver.domain.com if no_domain
redirect scheme https if !{ ssl_fc }
mode http
stats enable
stats hide-version
stats uri /stats
stats realm Haproxy\ Statistics
stats auth haproxy:redhat # Credentials for HAProxy Statistic report page.
balance roundrobin # Load balancing will work in round-robin process.
option httpchk
option httpclose
option forwardfor
server myserver.domain.com myserver.domain.com:80 # backend server.
Now when I give
myserver/myapplication
it redirects to
https://myserver.domain.com/myapplication
I have a problem where sometimes HaProxy chooses the wrong SSL certificate. The scenario is this, I have 3 domains:
domain1.com
domain2.com
domain3.com
Each domain goes to the same backend, all ssl termination happens on the load balancer. Also each domain has it owns pem file in the designated pem folder.
Sometimes domain2.com will try to use domain1.com certificate, and same for the other domains. A simple refresh fixes it but it shouldn't be. Here is my config:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
maxconn 10048
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option forwardfor
option http-server-close
option httplog
option dontlognull
timeout connect 5000
timeout client 2000000
timeout server 2000000
frontend http_front
bind *:80
stats uri /haproxy?stats
reqadd X-Forwarded-Proto:\ http
default_backend http_back
frontend www-https
bind *:443 ssl crt /etc/ssl/pems/ #All PEMs here, in seperate files
reqadd X-Forwarded-Proto:\ https
default_backend http_back
backend http_back
redirect scheme https if !{ ssl_fc }
balance roundrobin
server sprout1 x.x.x.x.:80 check
What am I missing in my config?
I have HAProxy as a load balancer and dynamic redirector to my webserver and websocket server so that they can run over the same port. My web socket server requires SSL temination at ha proxy.
I want to configure HAProxy so that http traffic is redirected to https but websockets work on bot port 80 and 443 (ws and wss). Is this possible?
My current config is:
global
maxconn 50000
user root
group root
stats socket /tmp/haproxy
node lb1
nbproc 1
#daemon
#debug
defaults
log global
retries 3
option dontlog-normal
timeout connect 10000ms
timeout client 10000ms
timeout server 10000ms
timeout tunnel 24h
maxconn 50000
mode http
option http-server-close
backend wwwServers
mode http
balance roundrobin
option httpchk HEAD / HTTP/1.1
server www1 127.0.0.1:1138 check
backend wsServers
server ws1 127.0.0.1:1137 check
frontend secured
bind :443 ssl crt /cert/cert.pem
reqadd X-Forwarded-Proto:\ https
default_backend wwwServers
frontend unsecured
bind :80
acl is_websocket hdr(Upgrade) -i WebSocket
use_backend wsServers if is_websocket
redirect scheme https if !{ ssl_fc }
default_backend wwwServers
but this redirects the websocket connection before the upgrade because ha proxy does the following when I run it:
a 'redirect' rule placed after a 'use_backend' rule will still be processed before.
Any help would be appreciated.
Thanks,
The solution was as follows:
frontend secured
bind :443 ssl crt /path/to/certificate.pem
reqadd X-Forwarded-Proto:\ https
acl is_websocket hdr(Upgrade) -i WebSocket
use_backend wsServers if is_websocket
default_backend wwwServers
frontend unsecured
bind :81,:80
acl is_websocket hdr(Upgrade) -i WebSocket
redirect scheme https if !{ ssl_fc } !is_websocket
use_backend wsServers if is_websocket
default_backend wwwServers
if a non ssl non websocket connection is made it is redirected.