Re: Copying a Header before Modifying it

[William Lewis]

Baptiste wrote: On Thu, Mar 29, 2012 at 11:42 PM, William Lewis <m...@wlewis.co.uk> wrote: Hi Cyril, Cyril Bonté wrote: Hi William, Le 29/03/2012 14:30, William Lewis a écrit : Hi, So I use Haproxy to rewrite some URL requests infront of my java webservers, but I also want my java webservers to be able to issue redirects relative to the url that hit haproxy. Specifically I want the developers that have access to application platform but not the haproxy to be able to enforce a resource is only accessible over https without me having to write a rule in the haproxy config. In this case they just need to be able to get the original request and send back a 403 redirect with https:// on the front, of course they don't see the original url so this is a problem. I tried solving it with this rule reqirep ^((HEAD|GET|POST|PUT|DELETE|TRACE|OPTIONS|CONNECT|PATCH)\ ([^\ ]*)\ HTTP/1.[01]) \1\nX-Original-Request:\ \3 run before any of the rewrite rules e.g. reqrep ^([^\ \t]*[\ \t])(.*) \1/tomcatcontext\2 This results in a request to the webserver which looks like GET /tomcatcontext/ HTTP/1.1 X-Original-Request: / Host: example.com Connection: keep-alive ... This all works great until you then try and do some acl matching in the haproxy, because an acl like acl example-com hdr_end(host) -i example.com will no longer match. It should (tested quicky here), can you provide us the version of haproxy you're using ? I remember there was a bug in old 1.4 versions concerning headers manipulation. I was using 1.4.19 but have just updated to 1.4.20 and still having the same problem, complete example config below global     daemon     quiet     maxconn 1024     pidfile /home/haproxyblue/haproxy.pid     uid     20003     gid     20003     chroot  /home/haproxyblue     log     127.0.0.1       local0     log     127.0.0.1       local1 notice defaults     log global     option httplog     balance roundrobin     mode http     retries 3     option redispatch     timeout connect 300000     timeout client 300000     timeout server 300000 frontend http-in     bind *:80     reqirep ^((HEAD|GET|POST|PUT|DELETE|TRACE|OPTIONS|CONNECT|PATCH)\ ([^\ ]*)\ HTTP/1.[01]) \1\nX-Original-Request:\ \3     acl test hdr_end(host) -i example.com     reqrep ^([^\ \t]*[\ \t])(.*) \1/tomcatcontext\2 if test     use_backend echo if test backend echo     mode http     option http-server-close     option forwardfor     server echo1 127.0.0.1:6666 Hi, You hould enable http-server-close on the frontend side as well. Or better, put it in the defaults. cheers I've added http-server-close to the defaults and the acl still doesn't match when I write the X-Original-Request header.