Re: Copying a Header before Modifying it

Thu, 29 Mar 2012 05:49:18 -0700 

2012/3/29 William Lewis <[email protected]>:
> Hi,
>
> So I use Haproxy to rewrite some URL requests infront of my java webservers,
> but I also want my java webservers to be able to issue redirects relative to
> the url that hit haproxy.
>
> Specifically I want the developers that have access to application platform
> but not the haproxy to be able to enforce a resource is only accessible over
> https without me having to write a rule in the haproxy config. In this case
> they just need to be able to get the original request and send back a 403
> redirect with https:// on the front, of course they don't see the original
> url so this is a problem.
>
> I tried solving it with this rule
>
> reqirep ^((HEAD|GET|POST|PUT|DELETE|TRACE|OPTIONS|CONNECT|PATCH)\ ([^\ ]*)\
> HTTP/1.[01]) \1\nX-Original-Request:\ \3
>
> run before any of the rewrite rules
>
> e.g.
> reqrep ^([^\ \t]*[\ \t])(.*) \1/tomcatcontext\2
>
> This results in a request to the webserver which looks like
>
> GET /tomcatcontext/ HTTP/1.1
> X-Original-Request: /
> Host: example.com
> Connection: keep-alive
> ...
>
> This all works great until you then try and do some acl matching in the
> haproxy, because an acl like
>
> acl example-com hdr_end(host) -i example.com
>
> will no longer match.
>
> Looks like a bug to me but I'd be interested in hearing any other ways of
> getting the original request through to the backend or otherwise allowing
> the backend to signal the haproxy that request needs to be redirected onto
> https.

Notice possible same problem with example like this:
#v+
       acl ssl         url_reg \/static\/.*
       acl static      hdr(host) -i s.example.com
       reqirep         ^Host:\ example.com   Host:\ s.example.com if ssl
       reqrep          ^([^\ ]*)\ /static/(.*)     \1\ /\2 if ssl

       use_backend cache if static
       default_backend default
#v-

Problem happen when "timeout http-keep-alive 1s" and without "option
httpclose". When I turn "option httpclose" problem gone, and start
working normal.

>From what I notice, as long as keepalive working only requests going
to backend from first request. After keepalive ends, again backend is
choice by ACL.

-- 
Łukasz Jagiełło
lukasz<at>jagiello<dot>org

Reply via email to