Hello HAProxy Community,
We are seeking your assistance with the following issue we are facing with
HAProxy being used as a reverse proxy server. Your vectors could help us
learn and identify the cause of our issue and solve it. Thank you.
ISSUE
=====
We are able to successfully access and run our Web application from
INTERNALLY, bypassing HAProxy, using <IP:Port> URL.
But, through HAProxy 1.7.8, only the login page of this Web application
loads. Upon clicking on login button, nothing happens and we are unable to
go past it.
Below inline are the:
[1] HTTP header analysis from browser inspection tool, for both successful
application run (withOUT HAProxy) and failed run with HAProxy.
Diffs: Set-Cookie header (JSESSIONID), Transfer-Encoding, Accept-encoding,
expires, p::submit
[2] HAProxy conf. with relevant frontend and backend. - we are using
modular, multiple files.
[3] HAProxy log (ATTACHED).
[1] Browser inspection output: HTTP Headers
======================
Successful running: bypassing HAProxy (internally)
---------------------------------------------------------------------
Request URL:http://<
IP:Port>/Product.Name/wicket/bookmarkable/org.apache.openmeetings.web.pages.
auth.SignInPage?2-1.0-signin-signin-submit
Request Method:POST
Status Code:200
Remote Address:<IP:Port>
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Ajax-Location:.
Cache-Control:no-cache, no-store
Content-Security-Policy:default-src 'self'; style-src 'self'
'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';
Content-Type:text/xml;charset=UTF-8
Date:Mon, 17 Jul 2017 19:36:24 GMT
Expires:Thu, 01 Jan 1970 00:00:00 GMT
Pragma:no-cache
Set-Cookie:JSESSIONID=07E88B37E0F1F42D0BBD319FDC79DBD0;path=/<Product.Name>;
HttpOnly
Strict-Transport-Security:max-age=31536000; includeSubDomains; preload
Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:application/xml, text/xml, */*; q=0.01
Accept-Encoding:gzip, deflate
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:61
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Cookie:JSESSIONID=CD59ACAA3BCFE3F4C8A3AEBE77C52BC6
DNT:1
Host:< IP:Port>
Origin:http://<IP:Port>
Referer:http://<IP:Port>/<Product.Name>/signin;jsessionid=CD59ACAA3BCFE3F4C8
A3AEBE77C52BC6
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Wicket-Ajax:true
Wicket-Ajax-BaseURL:signin
X-Requested-With:XMLHttpRequest
Query String Parameters
view source
view URL encoded
2-1.0-signin-signin-submit:
Form Data
view source
view URL encoded
login:<.>
pass:<.>
p::submit:1
FAILED LOGIN via HAProxy
-------------------------------
Request
URL:https://<our.domain.com>/<Product.Name>/wicket/bookmarkable/org.apache.o
penmeetings.web.pages.auth.SignInPage?1-1.2-signin
Request Method:POST
Status Code:400
Remote Address:<IP>:443
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Cache-Control:nocache, no-store
Content-Language:en
Content-Length:800
Content-Security-Policy:default-src 'self'; style-src 'self'
'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';
Content-Type:text/html;charset=utf-8
Date:Wed, 19 Jul 2017 06:45:33 GMT
Pragma:no-cache
Referrer-Policy:no-referrer-when-downgrade
Strict-Transport-Security:max-age=31536000; includeSubDomains; preload
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:application/xml, text/xml, */*; q=0.01
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:45
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
Cookie:JSESSIONID=cc-tt-d~6EE3B690118810FEE7ED4B38E61D9294
DNT:1
Host:<our.domain.com>
Origin:https://<our.domain.com>
Referer:https://<our.domain.com>/Product.Name/signin;jsessionid=6EE3B6901188
10FEE7ED4B38E61D9294
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36
Wicket-Ajax:true
Wicket-Ajax-BaseURL:signin
Wicket-FocusedElementId:btn1d9
X-Requested-With:XMLHttpRequest
Query String Parameters
view source
view URL encoded
1-1.2-signin:
Form Data
view source
view URL encoded
login:<.>
pass:<.>
[2] HAProxy configuration
---------------------------
global
log 127.0.0.1 local2
log-tag haproxy
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
nbproc 1
maxconn 5000
spread-checks 5
debug
chroot "${.}/lib"
stats socket "${.}/lib/haproxy.sock"
maxsslconn 256
tune.ssl.default-dh-param 4096
ssl-default-bind-ciphers
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128
-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-
RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:EC
DHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE
-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDS
A-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:D
HE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-D
ES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-
SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers
ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128
-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-
RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:EC
DHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE
-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDS
A-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:D
HE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-D
ES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-
SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
maxcomprate 1
maxcompcpuusage 50
tune.comp.maxlevel 5
tune.http.maxhdr 101
defaults
mode http
log global
option httplog
option http-server-close
option redispatch
retries 3
backlog 10000
timeout client 50000ms
timeout connect 5000ms
timeout server 50000ms
timeout http-keep-alive 10s
timeout http-request 15s
timeout queue 30s
timeout check 10s
timeout tarpit 60s
default-server inter 3s rise 2 fall 3
option forwardfor
option abortonclose
maxconn 50000
compression algo gzip
compression offload
compression type text/html "text/html; charset=utf-8"
text/html;charset=utf-8 text/plain text/css text/javascript
application/x-javascript application/javascript application/ecmascript
application/rss+xml application/atomsvc+xml application/atom+xml
application/atom+xml;type=entry application/atom+xml;type=feed
application/cmisquery+xml application/cmisallowableactions+xml
application/cmisatom+xml application/cmistree+xml application/cmisacl+xml
application/msword application/vnd.ms-excel application/vnd.ms-powerpoint
image/svg+xml
frontend webapps-frontend
bind *:443 name https ssl crt <path to cert.name>.pem.ecc
log global
option forwardfor
option httplog clf
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
capture cookie JSESSIONID len 62
acl host_https req.hdr(Host) our.domain.com
acl path_subdomain_demo path_beg -i "/Product" path_sub "\.Name"
use_backend subdomain_demo-backend if host_https path_subdomain_demo !
(.)
backend subdomain_demo-backend
timeout tunnel 3600s
cookie JSESSIONID prefix indirect nocache
server Product.Name <IP:Port> cookie cc-tt-d check
http-response set-header Content-Security-Policy "default-src 'self';
style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'
'unsafe-eval';"
http-response set-header Strict-Transport-Security "max-age=31536000;
includeSubDomains; preload"
http-response set-header X-Frame-Options "SAMEORIGIN"
http-response set-header X-XSS-Protection "1; mode=block"
http-response set-header X-Content-Type-Options "nosniff"
http-response set-header Referrer-Policy "no-referrer-when-downgrade"
http-response set-header Pragma "no-cache"
http-response set-header Cache-Control "nocache, no-store"
acl hdr_location res.hdr(Location) -m found
rspirep ^(Location:)\ http://(.*)$ Location:\ https://\2
acl hdr_set_cookie_dom res.hdr(Set-cookie) -m found sub Domain=
rspirep ^(Set-Cookie:.*)\ Domain=(.*) \1\ Domain=our.domain.com\2 if
hdr_set_cookie_dom
acl hdr_set_cookie_path res.hdr(Set-cookie) -m found sub
Path=Product.Name
rspirep ^(Set-Cookie:.*)\ Path=(.*) \1\ Path=/Product.Name\2 if
hdr_set_cookie_path
HA-Proxy version 1.7.8 2017/07/07
----------------------
Build options :
TARGET = linux2628
CPU = native
CC = gcc
CFLAGS = -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing
-Wdeclaration-after-statement -fwrapv
OPTIONS = USE_LIBCRYPT=1 USE_CRYPT_H=1 USE_GETADDRINFO=1 USE_ZLIB=1
USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_TFO=1
USE_NS=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Running on zlib version : 1.2.7
Compression algorithms supported : identity("identity"), deflate("deflate"),
raw-deflate("deflate"), gzip("gzip")
Built with OpenSSL version : OpenSSL 1.0.2k 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
Running on PCRE version : 8.32 2012-11-30
PCRE library supports JIT : yes
Built with Lua version : Lua 5.3.1
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Built with network namespace support
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Available filters :
[COMP] compression
[TRACE] trace
[SPOE] spoe
Thank you.
Sincerely,
Hemant K. Sabat
Coscend Communications Solutions
<http://www.coscend.com/> www.Coscend.com
------------------------------------------------------------------
Real-time, Interactive Video Collaboration, Tele-healthcare, Tele-education,
Telepresence Services, on the fly.
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at:
<http://www.coscend.com/Terms_and_Conditions.html>
http://www.Coscend.com/Terms_and_Conditions.html
Request
URL:https://coscend.fortiddns.com/CoscendCC.Test.Demo/wicket/bookmarkable/org.apache.openmeetings.web.pages.auth.SignInPage?8-1.2-signin
Request Method:POST
Status Code:400
Remote Address:76.186.214.195:443
Referrer Policy:no-referrer-when-downgrade
Response Headers
view source
Cache-Control:nocache, no-store
Content-Language:en
Content-Length:800
Content-Security-Policy:default-src 'self'; style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-inline' 'unsafe-eval';
Content-Type:text/html;charset=utf-8
Date:Wed, 19 Jul 2017 06:14:30 GMT
Pragma:no-cache
Referrer-Policy:no-referrer-when-downgrade
Strict-Transport-Security:max-age=31536000; includeSubDomains; preload
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-XSS-Protection:1; mode=block
Request Headers
view source
Accept:application/xml, text/xml, */*; q=0.01
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8
Connection:keep-alive
Content-Length:45
Content-Type:application/x-www-form-urlencoded; charset=UTF-8
DNT:1
Host:coscend.fortiddns.com
Origin:https://coscend.fortiddns.com
Referer:https://coscend.fortiddns.com/CoscendCC.Test.Demo/signin
User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/59.0.3071.115 Safari/537.36
Wicket-Ajax:true
Wicket-Ajax-BaseURL:signin
Wicket-FocusedElementId:btn59
X-Requested-With:XMLHttpRequest
Query String Parameters
view source
view URL encoded
8-1.2-signin:
Form Data
view source
view URL encoded
login:Coscend.Evangelist
pass:Collaborative1!
