On Wed, Jul 19, 2017 at 5:29 PM, Coscend@HAProxy < [email protected]> wrote:
> Attached is the correct HAProxy log output. > > > > The attachment in the previous post was from an unrelated context. > Apologies. Thank you for your assistance. > > > > *From:* Coscend@HAProxy [mailto:[email protected]] > *Sent:* Wednesday, July 19, 2017 2:16 AM > *To:* [email protected] > *Subject:* Seeking Assistance: HTTP Headers Conf. to Access Web Product > > > > Hello HAProxy Community, > > > > We are seeking your assistance with the following issue we are facing with > HAProxy being used as a reverse proxy server. Your vectors could help us > learn and identify the cause of our issue and solve it. Thank you. > > > > ISSUE > > ===== > > We are able to successfully access and run our Web application from > INTERNALLY, bypassing HAProxy, using <IP:Port> URL. > > But, through HAProxy 1.7.8, only the login page of this Web application > loads. Upon clicking on login button, nothing happens and we are unable to > go past it. > > > > Below inline are the: > > [1] HTTP header analysis from browser inspection tool, for both successful > application run (withOUT HAProxy) and failed run with HAProxy. > > Diffs: Set-Cookie header (JSESSIONID), Transfer-Encoding, Accept-encoding, > expires, p::submit > > [2] HAProxy conf. with relevant frontend and backend. – we are using > modular, multiple files. > > [3] HAProxy log (ATTACHED). > > > > > > [1] Browser inspection output: HTTP Headers > > ====================== > > Successful running: bypassing HAProxy (internally) > > --------------------------------------------------------------------- > > Request URL:http://< IP:Port>/Product.Name/wicket/bookmarkable/org.apache. > openmeetings.web.pages.auth.SignInPage?2-1.0-signin-signin-submit > > Request Method:POST > > Status Code:200 > > Remote Address:<IP:Port> > > Referrer Policy:no-referrer-when-downgrade > > Response Headers > > view source > > Ajax-Location:. > > Cache-Control:no-cache, no-store > > Content-Security-Policy:default-src 'self'; style-src 'self' > 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; > > Content-Type:text/xml;charset=UTF-8 > > Date:Mon, 17 Jul 2017 19:36:24 GMT > > Expires:Thu, 01 Jan 1970 00:00:00 GMT > > Pragma:no-cache > > Set-Cookie:JSESSIONID=07E88B37E0F1F42D0BBD319FDC79DB > D0;path=/<Product.Name>;HttpOnly > > Strict-Transport-Security:max-age=31536000; includeSubDomains; preload > > Transfer-Encoding:chunked > > X-Content-Type-Options:nosniff > > X-Frame-Options:SAMEORIGIN > > X-XSS-Protection:1; mode=block > > Request Headers > > view source > > Accept:application/xml, text/xml, */*; q=0.01 > > Accept-Encoding:gzip, deflate > > Accept-Language:en-US,en;q=0.8 > > Connection:keep-alive > > Content-Length:61 > > Content-Type:application/x-www-form-urlencoded; charset=UTF-8 > > Cookie:JSESSIONID=CD59ACAA3BCFE3F4C8A3AEBE77C52BC6 > > DNT:1 > > Host:< IP:Port> > > Origin:http://<IP:Port> > > Referer:http://<IP:Port>/<Product.Name>/signin;jsessionid= > CD59ACAA3BCFE3F4C8A3AEBE77C52BC6 > > User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 > > Wicket-Ajax:true > > Wicket-Ajax-BaseURL:signin > > X-Requested-With:XMLHttpRequest > > Query String Parameters > > view source > > view URL encoded > > 2-1.0-signin-signin-submit: > > Form Data > > view source > > view URL encoded > > login:<…> > > pass:<…> > > p::submit:1 > > > > > > FAILED LOGIN via HAProxy > > ------------------------------- > > Request URL:https://<our.domain.com>/<Product.Name>/wicket/ > bookmarkable/org.apache.openmeetings.web.pages.auth. > SignInPage?1-1.2-signin > > Request Method:POST > > Status Code:400 > > Remote Address:<IP>:443 > > Referrer Policy:no-referrer-when-downgrade > > Response Headers > > view source > > Cache-Control:nocache, no-store > > Content-Language:en > > Content-Length:800 > > Content-Security-Policy:default-src 'self'; style-src 'self' > 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; > > Content-Type:text/html;charset=utf-8 > > Date:Wed, 19 Jul 2017 06:45:33 GMT > > Pragma:no-cache > > Referrer-Policy:no-referrer-when-downgrade > > Strict-Transport-Security:max-age=31536000; includeSubDomains; preload > > X-Content-Type-Options:nosniff > > X-Frame-Options:SAMEORIGIN > > X-XSS-Protection:1; mode=block > > Request Headers > > view source > > Accept:application/xml, text/xml, */*; q=0.01 > > Accept-Encoding:gzip, deflate, br > > Accept-Language:en-US,en;q=0.8 > > Connection:keep-alive > > Content-Length:45 > > Content-Type:application/x-www-form-urlencoded; charset=UTF-8 > > Cookie:JSESSIONID=cc-tt-d~6EE3B690118810FEE7ED4B38E61D9294 > > DNT:1 > > Host:<our.domain.com> > > Origin:https://<our.domain.com> > > Referer:https://<our.domain.com>/Product.Name/signin;jsessionid= > 6EE3B690118810FEE7ED4B38E61D9294 > > User-Agent:Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 > (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 > > Wicket-Ajax:true > > Wicket-Ajax-BaseURL:signin > > Wicket-FocusedElementId:btn1d9 > > X-Requested-With:XMLHttpRequest > > Query String Parameters > > view source > > view URL encoded > > 1-1.2-signin: > > Form Data > > view source > > view URL encoded > > login:<…> > > pass:<…> > > > > [2] HAProxy configuration > > --------------------------- > > global > > log 127.0.0.1 local2 > > log-tag haproxy > > pidfile /var/run/haproxy.pid > > user haproxy > > group haproxy > > nbproc 1 > > maxconn 5000 > > spread-checks 5 > > debug > > chroot "${…}/lib" > > stats socket "${…}/lib/haproxy.sock" > > > > maxsslconn 256 > > tune.ssl.default-dh-param 4096 > > ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305: > ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256: > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384: > ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE- > RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA- > AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256- > SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384: > ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128- > SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA- > AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3- > SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM- > SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS > > ssl-default-bind-options no-sslv3 no-tls-tickets > > ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305: > ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256: > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384: > ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE- > RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA- > AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256- > SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384: > ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128- > SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA- > AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3- > SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM- > SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS > > ssl-default-server-options no-sslv3 no-tls-tickets > > maxcomprate 1 > > maxcompcpuusage 50 > > tune.comp.maxlevel 5 > > tune.http.maxhdr 101 > > > > defaults > > mode http > > log global > > option httplog > > option http-server-close > > option redispatch > > retries 3 > > backlog 10000 > > timeout client 50000ms > > timeout connect 5000ms > > timeout server 50000ms > > timeout http-keep-alive 10s > > timeout http-request 15s > > timeout queue 30s > > timeout check 10s > > timeout tarpit 60s > > default-server inter 3s rise 2 fall 3 > > option forwardfor > > option abortonclose > > maxconn 50000 > > compression algo gzip > > compression offload > > compression type text/html "text/html; charset=utf-8" > text/html;charset=utf-8 text/plain text/css text/javascript > application/x-javascript application/javascript application/ecmascript > application/rss+xml application/atomsvc+xml application/atom+xml > application/atom+xml;type=entry application/atom+xml;type=feed > application/cmisquery+xml application/cmisallowableactions+xml > application/cmisatom+xml application/cmistree+xml application/cmisacl+xml > application/msword application/vnd.ms-excel application/vnd.ms-powerpoint > image/svg+xml > > > > frontend webapps-frontend > > > > bind *:443 name https ssl crt <path to cert.name>.pem.ecc > > log global > > option forwardfor > > option httplog clf > > http-request set-header X-Forwarded-Port %[dst_port] > > http-request set-header X-Forwarded-Proto https if { ssl_fc } > > capture cookie JSESSIONID len 62 > > acl host_https req.hdr(Host) our.domain.com > > acl path_subdomain_demo path_beg -i "/Product" path_sub "\.Name" > > > > use_backend subdomain_demo-backend if host_https path_subdomain_demo ! > (…) > > > > backend subdomain_demo-backend > > timeout tunnel 3600s > > cookie JSESSIONID prefix indirect nocache > > server Product.Name <IP:Port> cookie cc-tt-d check > > > > http-response set-header Content-Security-Policy "default-src 'self'; > style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' > 'unsafe-eval';" > > http-response set-header Strict-Transport-Security "max-age=31536000; > includeSubDomains; preload" > > http-response set-header X-Frame-Options "SAMEORIGIN" > > http-response set-header X-XSS-Protection "1; mode=block" > > http-response set-header X-Content-Type-Options "nosniff" > > http-response set-header Referrer-Policy "no-referrer-when-downgrade" > > http-response set-header Pragma "no-cache" > > http-response set-header Cache-Control "nocache, no-store" > > > > acl hdr_location res.hdr(Location) -m found > > rspirep ^(Location:)\ http://(.*)$ Location:\ https://\2 <https://2> > > > > acl hdr_set_cookie_dom res.hdr(Set-cookie) -m found sub Domain= > > rspirep ^(Set-Cookie:.*)\ Domain=(.*) \1\ Domain=our.domain.com\2 if > hdr_set_cookie_dom > > > > acl hdr_set_cookie_path res.hdr(Set-cookie) -m found sub > Path=Product.Name > > rspirep ^(Set-Cookie:.*)\ Path=(.*) \1\ Path=/Product.Name\2 if > hdr_set_cookie_path > > > > HA-Proxy version 1.7.8 2017/07/07 > > ---------------------- > > Build options : > > TARGET = linux2628 > > CPU = native > > CC = gcc > > CFLAGS = -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing > -Wdeclaration-after-statement -fwrapv > > OPTIONS = USE_LIBCRYPT=1 USE_CRYPT_H=1 USE_GETADDRINFO=1 USE_ZLIB=1 > USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_TFO=1 > USE_NS=1 > > Default settings : > > maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200 > > Encrypted password support via crypt(3): yes > > Built with zlib version : 1.2.7 > > Running on zlib version : 1.2.7 > > Compression algorithms supported : identity("identity"), > deflate("deflate"), raw-deflate("deflate"), gzip("gzip") > > Built with OpenSSL version : OpenSSL 1.0.2k 26 Jan 2017 > > Running on OpenSSL version : OpenSSL 1.0.2k 26 Jan 2017 > > OpenSSL library supports TLS extensions : yes > > OpenSSL library supports SNI : yes > > OpenSSL library supports prefer-server-ciphers : yes > > Built with PCRE version : 8.32 2012-11-30 > > Running on PCRE version : 8.32 2012-11-30 > > PCRE library supports JIT : yes > > Built with Lua version : Lua 5.3.1 > > Built with transparent proxy support using: IP_TRANSPARENT > IPV6_TRANSPARENT IP_FREEBIND > > Built with network namespace support > > Available polling systems : > > epoll : pref=300, test result OK > > poll : pref=200, test result OK > > select : pref=150, test result OK > > Total: 3 (3 usable), will use epoll. > > Available filters : > > [COMP] compression > > [TRACE] trace > > [SPOE] spoe > > > > > > Thank you. > > > > Sincerely, > > > > Hemant K. Sabat > > > > Coscend Communications Solutions > > www.Coscend.com <http://www.coscend.com/> > > ------------------------------------------------------------------ > > *Real-time, Interactive Video Collaboration, Tele-healthcare, > Tele-education, Telepresence Services, on the fly…* > > ------------------------------------------------------------------ > > CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail > Messages from Coscend Communications Solutions' posted at: > http://www.Coscend.com/Terms_and_Conditions.html > <http://www.coscend.com/Terms_and_Conditions.html> > > > > > > > > > > > <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> > > Virus-free. www.avg.com > <http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> > > > I would recommend inserting separate cookie instead messing with the backend provided one.
