Re: Q about ssl and acls

Mon, 17 Sep 2012 15:05:57 -0700 

Hi Thomas,

Am 17-09-2012 21:54, schrieb Thomas Heil:

Hi,

If the application dont create https urls you have a loop with your
redirect. For wordpress you
maybe need to add a header HTTP_X_FORWARDED_PROTO https.
--

http://wordpress.org/support/topic/request-modify-is_ssl-function-to-check-for-http_x_forwarded_proto
--


Yes I have found similar way, thanks for answer.

My solution:

### add in wp-includes/functions.php
...
function is_ssl() {
...
           } elseif ( isset($_SERVER['HTTP_HTTPS']) ) {
                if ( 'on' == strtolower($_SERVER['HTTP_HTTPS']) )
                        return true;
                if ( '1' == $_SERVER['HTTP_HTTPS'] )
                        return true;
...
}
...
###

in haproxy in the https frontend

###
reqadd HTTPS:\ ON
###


cheers,
thomas



BR
Aleks


On 17.09.2012 17:23, Aleksandar Lazic wrote:

Hi,

as far as I have understand the ssl possibility right I just need to
copy my
http setup to https and it should work.

I have a redirection loop on https, I hope you can help to find my
error, thanks.

I have downloaded the following snapshot

###
curl -vLo
haproxy-v1.5-dev12-3e394c903f156ab2bcf731df39c4e6e74df3b6b4.tar.gz

'http://haproxy.1wt.eu/git?p=haproxy.git;a=snapshot;h=3e394c903f156ab2bcf731df39c4e6e74df3b6b4;sf=tgz'

###

### /opt/haproxy/installed/sbin/haproxy -vv
HA-Proxy version 1.5-dev12 2012/09/10
Copyright 2000-2012 Willy Tarreau <[email protected]>

Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -m64 -march=x86-64 -O2 -g -fno-strict-aliasing
  OPTIONS = USE_OPENSSL=1 USE_STATIC_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 

Encrypted password support via crypt(3): yes
Built with OpenSSL version : OpenSSL 1.0.1 14 Mar 2012
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes

Available polling systems :
     sepoll : pref=400,  test result OK
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 4 (4 usable), will use sepoll.
###

### cat /opt/haproxy/conf/haproxy.cfg
# This sample configuration makes extensive use of the ACLs. It requires 
# HAProxy version 1.3.12 minimum.

global
    log       127.0.0.1   local1
    maxconn       4096
    group      haproxy
    user       haproxy
    pidfile       /var/run/haproxy.pid
    daemon
#       quiet

defaults
    # long timeout to support connection queueing
    contimeout 20000
    srvtimeout 20000
    clitimeout 30000
    maxconn    4096
    option httpchk HEAD /
        option redispatch
    option httplog
    option dontlognull
        option http-server-close
    option forwardfor
    option http-no-delay
    unique-id-format %{+X}o\ %Ci:%Cp_%Ts_%rt
        unique-id-header X-Unique-ID
log-format %Ci:%Cp\ [%t]\ %f\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %st\ %B\ 
%cc\ %cs\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %ID\ %sq/%bq\ %hr\ %hs\ %{+Q}r

frontend http-in
    bind       :80
    mode       http
    log        global

        capture cookie PHPSESSID len 128

        capture request header User-Agent len 128
    capture request header Host           len 20
    capture request header User-Agent     len 16
    capture request header Content-Length len 10
    capture request header Referer        len 20

    capture response header Content-Length len 10

        rspdel ^X-Powered-By:.*

        block if METH_POST { hdr_cnt(Content-length) eq 0 }

    # block any unwanted source IP addresses or networks
    acl forbidden_src src      0.0.0.0/7 224.0.0.0/3
    acl forbidden_src src_port 0:1023
    block if forbidden_src

    # block requests beginning with http:// on wrong domains
#    acl dangerous_pfx  url_beg -i  http://
    acl valid_pfx      url_reg -i ^http://[^/]*myDomain\.com/
    acl dangerous_pfx  url_beg -i /w00tw00t.at.ISC.SANS.DFind
#    acl dangerous_pfx  url_reg -i .*w00tw00t.at.ISC.SANS.DFind
    block if dangerous_pfx !valid_pfx

    # block apache chunk exploit, ...
    acl forbidden_hdrs hdr_sub(transfer-encoding) -i chunked
acl forbidden_hdrs hdr_beg(host) -i apache- localhost 

    # ... some HTTP content smugling and other various things
    acl forbidden_hdrs hdr_cnt(host) gt 1
    acl forbidden_hdrs hdr_cnt(content-length) gt 1
    acl forbidden_hdrs hdr_val(content-length) lt 0
    acl forbidden_hdrs hdr_cnt(proxy-authorization) gt 0
    block if forbidden_hdrs

    # block annoying worms that fill the logs...
    acl forbidden_uris url_reg -i .*(\.|%2e)(\.|%2e)(%2f|%5c|/|\\\\)
    acl forbidden_uris url_sub -i %00 <script xmlrpc.php
    acl forbidden_uris path_end -i /root.exe /cmd.exe /default.ida
/awstats.pl .asp .dll

    # block other common attacks (awstats, manual discovery...)
    acl forbidden_uris path_dir -i chat read_dump.php viewtopic.php
phpbb sumthin horde _vti_bin MSOffice
    acl forbidden_uris url_reg -i
(\.php\?temppath=|\.php\?setmodules=|[=:]http://)
    block if forbidden_uris

        acl phpmyadmin hdr_beg(host) phpmadm
    use_backend phpadm_backend if phpmyadmin

        acl monitoring hdr_beg(host) monitoring
    use_backend monitoring_backend if monitoring

        acl stat_request url_beg /haproxy_stats
        use_backend stats_backend if stat_request

        acl wptest hdr_beg(host) wptest
    use_backend wptest_backend if wptest

        acl pmcom hdr_beg(host) www
    use_backend pmcom_backend if pmcom

        acl stat_pmcom url_beg /pmcom-fpm-status
        use_backend pmcom_backend if stat_pmcom

    default_backend    default

frontend https-in
        bind 0.0.0.0:443 ssl crt
/opt/haproxy/conf/www.myDomain.com.pem prefer-server-ciphers
    mode       http
    log        global

        acl pmcom hdr_beg(host) www
    use_backend pmcom_backend if pmcom

        acl stat_request url_beg /haproxy_stats
        use_backend stats_backend if stat_request

        default_backend default

backend default
    mode    http

    balance roundrobin
    cookie SERVERID
    server nginx 127.0.0.1:8000 check inter 30000 rise 2 fall 3
maxconn 1024

    option httpchk HEAD /
    option checkcache

    # allow other syntactically valid requests, and block any other
method
        acl valid_method method GET HEAD POST OPTIONS
        block if !valid_method
        block if HTTP_URL_STAR !METH_OPTIONS
        block if !HTTP_URL_SLASH !HTTP_URL_STAR !HTTP_URL_ABS

    # remove unnecessary precisions on the server version. Let's say
    # it's an apache under Unix on the Formilux Distro.
    rspidel        ^Server:\
    rspadd        Server:\ Apache

backend phpadm_backend
    mode http
        timeout server 1h
    server nginx 127.0.0.1:8001 check inter 30000 rise 2 fall 3
maxconn 10

backend wptest_backend
    mode http
    server nginx 127.0.0.1:8002 check inter 30000 rise 2 fall 3
maxconn 10

backend pmcom_backend
    mode http
    server nginx 127.0.0.1:8003 check inter 30000 rise 2 fall 3
maxconn 1024

backend monitoring_backend
    mode http
    server nginx 127.0.0.1:8002 check inter 30000 rise 2 fall 3
maxconn 10

backend stats_backend
    mode http
    balance
#    timeout client 5000
    timeout connect 4000
    timeout server 30000
    stats uri /haproxy_stats
    stats realm Haproxy\ Statistics
    stats auth  common_you_DONT:THING_I_writeit_;-)
###

Thanks for help

Aleks

Reply via email to