On Thu, Mar 29, 2012 at 11:42 PM, William Lewis <m...@wlewis.co.uk> wrote: > Hi Cyril, > > > Cyril Bonté wrote: > > Hi William, > > Le 29/03/2012 14:30, William Lewis a écrit : > > Hi, > > So I use Haproxy to rewrite some URL requests infront of my java > webservers, but I also want my java webservers to be able to issue > redirects relative to the url that hit haproxy. > > Specifically I want the developers that have access to application > platform but not the haproxy to be able to enforce a resource is only > accessible over https without me having to write a rule in the haproxy > config. In this case they just need to be able to get the original > request and send back a 403 redirect with https:// on the front, of > course they don't see the original url so this is a problem. > > I tried solving it with this rule > > reqirep ^((HEAD|GET|POST|PUT|DELETE|TRACE|OPTIONS|CONNECT|PATCH)\ ([^\ > ]*)\ HTTP/1.[01]) \1\nX-Original-Request:\ \3 > > run before any of the rewrite rules > > e.g. > reqrep ^([^\ \t]*[\ \t])(.*) \1/tomcatcontext\2 > > This results in a request to the webserver which looks like > > GET /tomcatcontext/ HTTP/1.1 > X-Original-Request: / > Host: example.com > Connection: keep-alive > ... > > This all works great until you then try and do some acl matching in the > haproxy, because an acl like > > acl example-com hdr_end(host) -i example.com > > will no longer match. > > > It should (tested quicky here), can you provide us the version of haproxy > you're using ? I remember there was a bug in old 1.4 versions concerning > headers manipulation. > > > I was using 1.4.19 but have just updated to 1.4.20 and still having the same > problem, complete example config below > > global > daemon > quiet > maxconn 1024 > pidfile /home/haproxyblue/haproxy.pid > uid 20003 > gid 20003 > chroot /home/haproxyblue > log 127.0.0.1 local0 > log 127.0.0.1 local1 notice > > defaults > log global > option httplog > balance roundrobin > mode http > retries 3 > option redispatch > timeout connect 300000 > timeout client 300000 > timeout server 300000 > > frontend http-in > bind *:80 > > > reqirep ^((HEAD|GET|POST|PUT|DELETE|TRACE|OPTIONS|CONNECT|PATCH)\ ([^\ > ]*)\ HTTP/1.[01]) \1\nX-Original-Request:\ \3 > > acl test hdr_end(host) -i example.com > > reqrep ^([^\ \t]*[\ \t])(.*) \1/tomcatcontext\2 if test > > use_backend echo if test > > backend echo > mode http > > option http-server-close > option forwardfor > server echo1 127.0.0.1:6666 > > > >
Hi, You hould enable http-server-close on the frontend side as well. Or better, put it in the defaults. cheers