Re: Q about ssl and acls

Mon, 17 Sep 2012 12:55:11 -0700 

Hi,

If the application dont create https urls you have a loop with your
redirect. For wordpress you
maybe need to add a header HTTP_X_FORWARDED_PROTO https.
--
http://wordpress.org/support/topic/request-modify-is_ssl-function-to-check-for-http_x_forwarded_proto
--

cheers,
thomas

On 17.09.2012 17:23, Aleksandar Lazic wrote:
> Hi,
>
> as far as I have understand the ssl possibility right I just need to
> copy my
> http setup to https and it should work.
>
> I have a redirection loop on https, I hope you can help to find my
> error, thanks.
>
> I have downloaded the following snapshot
>
> ###
> curl -vLo
> haproxy-v1.5-dev12-3e394c903f156ab2bcf731df39c4e6e74df3b6b4.tar.gz
> 'http://haproxy.1wt.eu/git?p=haproxy.git;a=snapshot;h=3e394c903f156ab2bcf731df39c4e6e74df3b6b4;sf=tgz'
>
> ###
>
> ### /opt/haproxy/installed/sbin/haproxy -vv
> HA-Proxy version 1.5-dev12 2012/09/10
> Copyright 2000-2012 Willy Tarreau <[email protected]>
>
> Build options :
>   TARGET  = linux2628
>   CPU     = generic
>   CC      = gcc
>   CFLAGS  = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing
>   OPTIONS = USE_OPENSSL=1 USE_STATIC_PCRE=1
>
> Default settings :
>   maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
>
> Encrypted password support via crypt(3): yes
> Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012
> OpenSSL library supports TLS extensions : yes
> OpenSSL library supports SNI : yes
> OpenSSL library supports prefer-server-ciphers : yes
>
> Available polling systems :
>      sepoll : pref=400,  test result OK
>       epoll : pref=300,  test result OK
>        poll : pref=200,  test result OK
>      select : pref=150,  test result OK
> Total: 4 (4 usable), will use sepoll.
> ###
>
> ### cat /opt/haproxy/conf/haproxy.cfg
> # This sample configuration makes extensive use of the ACLs. It requires
> # HAProxy version 1.3.12 minimum.
>
> global
>     log       127.0.0.1   local1
>     maxconn       4096
>     group      haproxy
>     user       haproxy
>     pidfile       /var/run/haproxy.pid
>     daemon
> #       quiet
>
> defaults
>     # long timeout to support connection queueing
>     contimeout 20000
>     srvtimeout 20000
>     clitimeout 30000
>     maxconn    4096
>     option httpchk HEAD /
>         option redispatch
>     option httplog
>     option dontlognull
>         option http-server-close
>     option forwardfor
>     option http-no-delay
>     unique-id-format %{+X}o\ %Ci:%Cp_%Ts_%rt
>         unique-id-header X-Unique-ID
>     log-format %Ci:%Cp\ [%t]\ %f\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\ %B\
> %cc\ %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %ID\ %sq/%bq\ %hr\ %hs\ %{+Q}r
>
> frontend http-in
>     bind       :80
>     mode       http
>     log        global
>
>         capture cookie PHPSESSID len 128
>
>         capture request header User-Agent len 128
>     capture request header Host           len 20
>     capture request header User-Agent     len 16
>     capture request header Content-Length len 10
>     capture request header Referer        len 20
>
>     capture response header Content-Length len 10
>
>         rspdel ^X-Powered-By:.*
>
>         block if METH_POST { hdr_cnt(Content-length) eq 0 }
>
>     # block any unwanted source IP addresses or networks
>     acl forbidden_src src      0.0.0.0/7 224.0.0.0/3
>     acl forbidden_src src_port 0:1023
>     block if forbidden_src
>
>     # block requests beginning with http:// on wrong domains
> #    acl dangerous_pfx  url_beg -i  http://
>     acl valid_pfx      url_reg -i ^http://[^/]*myDomain\.com/
>     acl dangerous_pfx  url_beg -i /w00tw00t.at.ISC.SANS.DFind
> #    acl dangerous_pfx  url_reg -i .*w00tw00t.at.ISC.SANS.DFind
>     block if dangerous_pfx !valid_pfx
>
>     # block apache chunk exploit, ...
>     acl forbidden_hdrs hdr_sub(transfer-encoding) -i chunked
>     acl forbidden_hdrs hdr_beg(host)              -i apache- localhost
>
>     # ... some HTTP content smugling and other various things
>     acl forbidden_hdrs hdr_cnt(host) gt 1
>     acl forbidden_hdrs hdr_cnt(content-length) gt 1
>     acl forbidden_hdrs hdr_val(content-length) lt 0
>     acl forbidden_hdrs hdr_cnt(proxy-authorization) gt 0
>     block if forbidden_hdrs
>
>     # block annoying worms that fill the logs...
>     acl forbidden_uris url_reg -i .*(\.|%2e)(\.|%2e)(%2f|%5c|/|\\\\)
>     acl forbidden_uris url_sub -i %00 <script xmlrpc.php
>     acl forbidden_uris path_end -i /root.exe /cmd.exe /default.ida
> /awstats.pl .asp .dll
>
>     # block other common attacks (awstats, manual discovery...)
>     acl forbidden_uris path_dir -i chat read_dump.php viewtopic.php
> phpbb sumthin horde _vti_bin MSOffice
>     acl forbidden_uris url_reg -i
> (\.php\?temppath=|\.php\?setmodules=|[=:]http://)
>     block if forbidden_uris
>
>         acl phpmyadmin hdr_beg(host) phpmadm
>     use_backend phpadm_backend if phpmyadmin
>
>         acl monitoring hdr_beg(host) monitoring
>     use_backend monitoring_backend if monitoring
>
>         acl stat_request url_beg /haproxy_stats
>         use_backend stats_backend if stat_request
>
>         acl wptest hdr_beg(host) wptest
>     use_backend wptest_backend if wptest
>
>         acl pmcom hdr_beg(host) www
>     use_backend pmcom_backend if pmcom
>
>         acl stat_pmcom url_beg /pmcom-fpm-status
>         use_backend pmcom_backend if stat_pmcom
>
>     default_backend    default
>
> frontend https-in
>         bind 0.0.0.0:443 ssl crt
> /opt/haproxy/conf/www.myDomain.com.pem prefer-server-ciphers
>     mode       http
>     log        global
>
>         acl pmcom hdr_beg(host) www
>     use_backend pmcom_backend if pmcom
>
>         acl stat_request url_beg /haproxy_stats
>         use_backend stats_backend if stat_request
>
>         default_backend default
>
> backend default
>     mode    http
>
>     balance roundrobin
>     cookie SERVERID
>     server nginx 127.0.0.1:8000 check inter 30000 rise 2 fall 3
> maxconn 1024
>
>     option httpchk HEAD /
>     option checkcache
>
>     # allow other syntactically valid requests, and block any other
> method
>         acl valid_method method GET HEAD POST OPTIONS
>         block if !valid_method
>         block if HTTP_URL_STAR !METH_OPTIONS
>         block if !HTTP_URL_SLASH !HTTP_URL_STAR !HTTP_URL_ABS
>
>     # remove unnecessary precisions on the server version. Let's say
>     # it's an apache under Unix on the Formilux Distro.
>     rspidel        ^Server:\
>     rspadd        Server:\ Apache
>
> backend phpadm_backend
>     mode http
>         timeout server 1h
>     server nginx 127.0.0.1:8001 check inter 30000 rise 2 fall 3
> maxconn 10
>
> backend wptest_backend
>     mode http
>     server nginx 127.0.0.1:8002 check inter 30000 rise 2 fall 3
> maxconn 10
>
> backend pmcom_backend
>     mode http
>     server nginx 127.0.0.1:8003 check inter 30000 rise 2 fall 3
> maxconn 1024
>
> backend monitoring_backend
>     mode http
>     server nginx 127.0.0.1:8002 check inter 30000 rise 2 fall 3
> maxconn 10
>
> backend stats_backend
>     mode http
>     balance
> #    timeout client 5000
>     timeout connect 4000
>     timeout server 30000
>     stats uri /haproxy_stats
>     stats realm Haproxy\ Statistics
>     stats auth  common_you_DONT:THING_I_writeit_;-)
> ###
>
> Thanks for help
>
> Aleks

Reply via email to