Hi, I'm testing haproxy-1.5-dev19/21 to lb php application(apache/moodle 2.6)
moodle is setup to use shibboleth-authentication (https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration). Login is all https (client -> haproxy -> apache+mod_ssl): Login works (haproxy-ss-20131228) ok on IE, chrome and safari, but fails with firefox. When I changed the the connection from haproxy to apache to use http (no https (removed ssl from server line)) I managed to capture packet logs on the apache host. Chrome+haproxy sends whole request to apache (and it works), but with firefox+haproxy apache sees request like this: POST /Shibboleth.sso/SAML2/POST HTTP/1.1 Host: mdl26.uef.fi User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: fi,en-us;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: https://idp.uef.fi/idp/profile/SAML2/Redirect/SSO Cookie: __utma=cookie cleanedup; MoodleSessionmdl26=moodle session cookie cleaned; _shibstate_1389859501_c8b0=cookie removed; Content-Type: application/x-www-form-urlencoded Content-Length: 13099 X-Forwarded-For: 10.0.28.54 Connection: close RelayState=cookie%3A1389859501_c8b0&SAMLResponse=PD94bWwg ... here's about 7500 bytes from the SAMLResponse mxPREw4bW1QdW9LdzM5V2dxNktiTU8vdWZ2WVlhelpETzh4T2pPawpBVEtlN0szTUtReVh2MS9UdnpDeUFYVzB5S0hMbVBQQlM0ZlRjRG1yZHTTP/1.1 500 Internal Server Error Date: Thu, 16 Jan 2014 08:05:14 GMT Server: Apache Expires: Wed, 01 Jan 1997 12:00:00 GMT Cache-Control: private,no-store,no-cache,max-age=0 Content-Length: 966 Connection: close Content-Type: text/html; charset=UTF-8 --- HERE I removed most of the HTML --- <p class="error">opensaml::BindingException at (https://mdl26.uef.fi/Shibboleth.sso/SAML2/POST)</p> <p>Unable to decode base64 in POST binding message.</p> </body> </html> 05acXphQjI5aXd5Wlk1V1ZkRFc5Y0xEc0 .... rest of the SAMLResponse So it looks like that firefox+haproxy sends only partial SAMLResponse to apache and sends the rest after apache/shibboleth sp sends back error 500. If I use older 1.5-dev snapshot (haproxy-ss-20131031) then login works on firefox (same config). With latest snapshot haproxy-ss-20140116 the ssl backend doesn't work at all. All requests get 408 error from haproxy. Here's my test config: global log /dev/log local2 info chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 8000 user haproxy group haproxy daemon spread-checks 3 # turn on stats unix socket stats socket /var/lib/haproxy/stats stats timeout 2m defaults mode http log global option httplog option dontlognull option redispatch no option accept-invalid-http-request no option accept-invalid-http-response retries 3 timeout http-request 10s timeout queue 30s timeout connect 4s timeout client 1m timeout server 1m timeout http-keep-alive 10s timeout check 10s maxconn 8192 no option socket-stats frontend http_mdl bind 10.0.0.201:80 name demo3 bind 10.0.0.202:80 name demo4 option tcp-smart-accept option contstats option forwardfor except 127.0.0.0/8 errorfile 403 /etc/haproxy/errors/403.html errorfile 504 /etc/haproxy/errors/504.html default_backend BE_http frontend https_mdl bind 10.0.0.201:443 name demo3ssl ssl crt /etc/haproxy/demo3.pem bind 10.0.0.202:443 name demo4ssl ssl crt /etc/haproxy/demo4.pem option forceclose option contstats option forwardfor except 127.0.0.0/8 errorfile 403 /etc/haproxy/errors/403.html errorfile 504 /etc/haproxy/errors/504.html default_backend BE_http-ssl backend BE_http balance roundrobin option tcp-smart-connect option httpchk HEAD / HTTP/1.0\r\n http-check disable-on-404 no option persist stats enable stats realm removed stats auth info:removed stats uri /statsuri #removed stats hide-version stats refresh 120s default-server inter 5s downinter 15s rise 2 error-limit 10 fall 2 on-error fail-check server mdldemo1 10.0.0.151:80 check observe layer7 server mdldemo2 10.0.0.152:80 check observe layer7 backend BE_http-ssl option forceclose timeout server 120s # long timeout to receive shib error w/firefox default-server inter 15s downinter 20s rise 2 server mdldemo1 10.0.0.151:443 maxconn 256 ssl force-sslv3 check # second server disabled for testing (also stick on src removed for # testing). #server mdldemo2 10.0.0.152:443 maxconn 256 ssl force-sslv3 check
