Hi Christophe,

Le 14/12/2012 14:27, Christophe Rahier a écrit :
Hi Baptiste,

I tried to configure it but I'm not a Linux specialist ;-)

Here's what I can find in my log file:

Dec 14 14:25:13 lbhatest haproxy[1758]: 212.123.23.228:9163
[14/Dec/2012:14:25:13.233] Managers-Farm~ Managers-Farm/<NOSRV>
-1/-1/-1/-1/39 400 210 - - CR-- 0/0/0/0/0 0/0 {} "<BADREQ>"
Dec 14 14:25:15 lbhatest haproxy[1758]: 212.123.23.228:9164
[14/Dec/2012:14:25:15.447] Managers-Farm~ Managers-Farm/<NOSRV>
-1/-1/-1/-1/18 400 210 - - CR-- 0/0/0/0/0 0/0 {} "<BADREQ>"


Does it help you?

I'm not sure those logs concern your "too many redirects".

However, talking about "too many redirects", it makes me think of a common issue with applications behind a SSL terminator/accelerator/... It can sometimes become a nightmare for the administrators when the developers provide their application for the first time :-)

The rule is quite "simple" : you have to know what you're running on the backends to know what configuration to apply. Easy to say, I know.

As haproxy is the SSL terminator, your web server receives a plain unencrypted HTTP request. Some applications can decide that the HTTP request should be immediatly redirected to an URL prefixed with a https scheme to secure the communication. And here comes the loop.

To prevent this, it depends on the application (and other intermediary modules like mod_jk and others). For some applications, simply adding "reqadd X-Forwarded-Proto:\ https" in the haproxy configuration will solve the issue. In some other cases, adding the header is not sufficient and you have to set an environment variable in apache (assuming you're using it).

Example :
    SetEnvIf X-Forwarded-Proto https HTTPS=on

But that's where you have to know what framework is used in your application. There is no standard : I've already met some frameworks where the value is case sensitive, waiting for :
    HTTPS=ON
some others waiting for :
    HTTPS=On
and still some others requiring :
    HTTPS=1

And I don't talk about frameworks that require something else than "X-Forwarded-Proto" ;-)

I hope this will help a bit.

--
Cyril Bonté

Reply via email to