Baptiste wrote: On Thu, Mar 29, 2012 at 11:42 PM, William Lewis <m...@wlewis.co.uk> wrote:Hi Cyril,Cyril Bonté wrote: Hi William, Le 29/03/2012 14:30, William Lewis a écrit : Hi, So I use Haproxy to rewrite some URL requests infront of my java webservers, but I also want my java webservers to be able to issue redirects relative to the url that hit haproxy. Specifically I want the developers that have access to application platform but not the haproxy to be able to enforce a resource is only accessible over https without me having to write a rule in the haproxy config. In this case they just need to be able to get the original request and send back a 403 redirect with https:// on the front, of course they don't see the original url so this is a problem. I tried solving it with this rule reqirep ^((HEAD|GET|POST|PUT|DELETE|TRACE|OPTIONS|CONNECT|PATCH)\ ([^\ ]*)\ HTTP/1.[01]) \1\nX-Original-Request:\ \3 run before any of the rewrite rules e.g. reqrep ^([^\ \t]*[\ \t])(.*) \1/tomcatcontext\2 This results in a request to the webserver which looks like GET /tomcatcontext/ HTTP/1.1 X-Original-Request: / Host: example.com Connection: keep-alive ... This all works great until you then try and do some acl matching in the haproxy, because an acl like acl example-com hdr_end(host) -i example.com will no longer match. It should (tested quicky here), can you provide us the version of haproxy you're using ? I remember there was a bug in old 1.4 versions concerning headers manipulation. I was using 1.4.19 but have just updated to 1.4.20 and still having the same problem, complete example config below global daemon quiet maxconn 1024 pidfile /home/haproxyblue/haproxy.pid uid 20003 gid 20003 chroot /home/haproxyblue log 127.0.0.1 local0 log 127.0.0.1 local1 notice defaults log global option httplog balance roundrobin mode http retries 3 option redispatch timeout connect 300000 timeout client 300000 timeout server 300000 frontend http-in bind *:80 reqirep ^((HEAD|GET|POST|PUT|DELETE|TRACE|OPTIONS|CONNECT|PATCH)\ ([^\ ]*)\ HTTP/1.[01]) \1\nX-Original-Request:\ \3 acl test hdr_end(host) -i example.com reqrep ^([^\ \t]*[\ \t])(.*) \1/tomcatcontext\2 if test use_backend echo if test backend echo mode http option http-server-close option forwardfor server echo1 127.0.0.1:6666Hi, You hould enable http-server-close on the frontend side as well. Or better, put it in the defaults. cheers I've added http-server-close to the defaults and the acl still doesn't match when I write the X-Original-Request header. |
- Copying a Header before Modifying it William Lewis
- Re: Copying a Header before Modifying it Łukasz Jagiełło
- Re: Copying a Header before Modifying it Łukasz Jagiełło
- Re: Copying a Header before Modifying it Cyril Bonté
- Re: Copying a Header before Modifying it Cyril Bonté
- Re: Copying a Header before Modifying it William Lewis
- Re: Copying a Header before Modifying it Baptiste
- Re: Copying a Header before Modifying ... William Lewis
- Re: Copying a Header before Modif... Cyril Bonté
- Re: Copying a Header before M... Cyril Bonté