Hi Steven,
First, a few comments below :
> option httplog
> option dontlognull
> option forwardfor
> option http-server-close
> option httpclose
You can remove httpclose above, there is already http-server-close,
and having the two results in close for all connections.
> stats enable
>
> stats auth admin:XXXXXXXX
You can use encrypted passwords above instead of accidentely sharing
them with the world :-) (I have replaced it with XXXXX but that's too
late). Also it generally isn't a good idea to put the stats in the
defaults section because it's inherited by all instances.
> When I connect to the oauth url I get the following in a browser:
>
> Dec 17 16:26:23 happywebn1 haproxy[22465]:
> 10.116.49.52:17384[17/Dec/2012:16:26:21.893] https~
> layer7/qa-layer7.alfresco.pri
> 1328/0/1/-1/1330 502 545 - - PH-- 12/11/0/0/0 0/0 "GET
> /auth/oauth/versions/2/authorize?client_id=32527f06-1acd-488c-a844-036629e91127&redirect_uri=http%3A%2F%2Flocalhost%3A8181%2Foauthsample%2Fmycallback.html&scope=public_api&response_type=code
> HTTP/1.1"
>
>
> From running haproxy in foreground debug mode I can see that the request
> gets sent OK to the layer7 server.
Yes, the "H" in "PH" flags means that the request was sent to the server and
that haproxy is waiting for the server to respond. The "P" means the response
was rejected by haproxy, most likely because it does not conform to the HTTP
standard.
You should set up the stats socket in the global section and connect to it
using socat, it's very likely that you'll find the problem there :
$ echo show errors | socat /var/run/haproxy.stat -
> The layer7 server wasn't setup by me and was configured with a self signed
> cert for some reason. I suspect this may be causing the issues. For example
> when I do a curl I have to specify -insecure in order for the GET request
> to work.
No, this is unrelated because haproxy by default does not check server certs,
it only does so when there is the "ca-file" keyword on the line with a path
to the CA used to validate the server cert.
However there is something that I think is a good reason : you seem to mean
that the server presents a certificate but you connect to it in HTTP, not
HTTPS :
backend layer7
server qa-layer7.company.pri qa-layer7.company.pri:8443 check inter 5000
This I think that the server returns something in response to the HTTP
request that is more of an SSL handshake that is blocked by haproxy.
You should add "ssl" at the end of the line to tell it to re-encrypt traffic
when going to this server.
> Is there a way to provide haproxy with a cert to use for the backend?
yes with "ca-file".
> Or, a way to tell it to ignore SSL errors?
it is the default case.
Regards,
Willy
