Amol, The second log lines clearly shows that your application server is redirecting your user :)
Baptiste On Thu, Mar 6, 2014 at 4:53 AM, Amol <mandm_z...@yahoo.com> wrote: > so after looking at haproxy logs i noticed 2 things > > if i type www.xx.com there is 1 log entry > > haproxy[26387]: xx.11.11.118:62704 [05/Mar/2014:22:48:02.264] http-in > if-https/if1-app 10734/0/0/403/11137 200 10448 - - --VN 20/20/3/1/0 0/0 "GET > / HTTP/1.1" > > > but when i type xx.com i see 2 log entries, that means a url redirection is > taking place? > > haproxy[26387]: xx.11.11.118:62681 [05/Mar/2014:22:48:50.075] http-in > if-http/if1-app 15670/0/0/265/15935 301 342 - - --VN 17/17/0/1/0 0/0 "GET / > HTTP/1.1" > haproxy[26387]: xx.xx.xx.240:54320 [05/Mar/2014:22:48:51.271] http-in > if-https/if1-app 14872/0/1/417/15290 200 10448 - - --VN 18/18/1/1/0 0/0 "GET > / HTTP/1.1" > > > > some parts of my config file.. > > frontend http-in > bind <public_ip>:80 name http > bind <private_ip>:8000 name https # forwared by stunnel > acl host_xx hdr(host) -i xx.com > use_backend if-http if host_if > default_backend if-https > > backend if-http > > acl secure dst_port eq 8000 > acl login_page path_beg /exzact > > redirect prefix https://xx.com if login_page !secure > > > > > > On Wednesday, March 5, 2014 4:08 PM, Amol <mandm_z...@yahoo.com> wrote: > Hi Neil, > I tried something similar, by putting the servername and setting > UseCanonicalName On... > but what i observe is that when i access my website with just xx.com in the > browser, it directs to https://www.xx.com > but if i start fresh and access my website with www.xx.com and the next > subsequent requests with xx.com always go to www.xx.com > > any clue? > > here is the apache default.conf > <VirtualHost *:80> > ServerAdmin webmaster@localhost > ServerName www.xxx.com > > DocumentRoot /var/www > <Directory /> > Options FollowSymLinks > AllowOverride All > </Directory> > <Directory /var/www/> > setenv HTTPS on > Options FollowSymLinks MultiViews > AllowOverride All > Order allow,deny > allow from all > </Directory> > > ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ > <Directory "/usr/lib/cgi-bin"> > AllowOverride None > Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch > Order allow,deny > Allow from all > </Directory> > > ErrorLog /var/log/apache2/error.log > > # Possible values include: debug, info, notice, warn, error, crit, > # alert, emerg. > LogLevel warn > ServerSignature Off > UseCanonicalName On > > SetEnvIf Request_URI "^/check\.txt$" dontlog > CustomLog /var/log/apache2/access.log combined env=!dontlog > > Alias /doc/ "/usr/share/doc/" > <Directory "/usr/share/doc/"> > Options MultiViews FollowSymLinks > AllowOverride None > Order deny,allow > Deny from all > Allow from 127.0.0.0/255.0.0.0 ::1/128 > </Directory> > > </VirtualHost> > > > > > On Monday, March 3, 2014 5:16 AM, Neil - HAProxy List > <maillist-hapr...@iamafreeman.com> wrote: > Hello Amol > > Here is an example of the sort of thing I use > > The 3 important things for are > ServerName https://servicename.domain.com:443 > SetEnv HTTPS on > UseCanonicalName On > > > <VirtualHost *:8080> > ServerName https://servicename.domain.com:443 > > ## Vhost docroot > DocumentRoot /var/www/ > > ## Directories, there should at least be a declaration for /var/www > > <Directory /var/www> > Options Indexes ExecCGI > AllowOverride None > Order allow,deny > Allow from all > </Directory> > > ## Logging > LogLevel warn > ServerSignature Off > > > ## Custom fragment > #### This tricks PHP into believing the script was accessed over SSL > SetEnv HTTPS on > > DirectoryIndex index.php > UseCanonicalName On > > ErrorLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_error.log > /var/log/apache2/%Y/servicename_error-%Y%m%d.log" > > LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" > direct > LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" > \"%{User-Agent}i\"" proxied > SetEnvIf Remote_Addr "^" direct # make it always set > SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" !direct > SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" proxied > SetEnvIf Request_URI "^/healthcheck$" !direct > > # keep these SetEnvIf Request_URI "^/healthcheck$" !proxied > CustomLog "|/usr/bin/cronolog --link > /var/log/apache2/servicename_directaccess > /var/log/apache2/%Y/servicename_directaccess-%Y%m%d.log" direct env=direct > CustomLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_access > /var/log/apache2/%Y/servicename_access-%Y%m%d.log" proxied env=proxied > > </VirtualHost> > > I like to log traffic from the loadbal separately to traffic from the public > and I ignore /healthcheck from the loadbal but not from others. You'll need > to tell haproxy to "option forwardfor". Also using cronolog. > > Neil > > > On 1 March 2014 15:27, Baptiste <bed...@gmail.com> wrote: > > Hi > > More chance to get an answer from Apache 2.2 and wordpress people... > > Baptiste > > On Fri, Feb 28, 2014 at 4:12 PM, Amol <mandm_z...@yahoo.com> wrote: >> well the application behind haproxy in this case is wordpress on >> apache2.2, >> any settings there? >> >> >> >> >> On Friday, February 28, 2014 4:57 AM, Baptiste <bed...@gmail.com> wrote: >> It may not fix the issue. >> But at least the configuration will do what you expect from it... >> >> That said, the issue may be in the application too :) >> It is commonly seen that applications don't behave properly when SSL >> offloading is enabled in front of them. >> >> Baptiste >> >> >> On Thu, Feb 27, 2014 at 4:16 PM, Amol <mandm_z...@yahoo.com> wrote: >>> Thanks Baptiste, let me give that a try >>> >>> >>> >>> On Thursday, February 27, 2014 9:37 AM, Baptiste <bed...@gmail.com> >>> wrote: >>> Hi Amol, >>> >>> There are a few improvement you can do. >>> First update your frontend acl to: >>> acl host_xx hdr(host) -i xx.com >>> >>> then in your backend, this ACL should never match: "acl login_page >>> url_beg /xyz" >>> replace url_beg by path_beg. >>> >>> Your problem is not there as well. >>> I think your application server is sending hardcoded data or Location >>> headers. >>> analyzing the body of the pages and HAProxy logs may help here. >>> >>> Baptiste >>> >>> >>> >>> On Tue, Feb 25, 2014 at 4:56 PM, Amol <mandm_z...@yahoo.com> wrote: >>>> Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to >>>> redirect >>>> my website to "http" >>>> requirement : when a user types in http://<website_name>.com he should >>>> not >>>> be redirected to https://<website_name>.com >>>> currently it does that and some of the video links on our main page do >>>> not >>>> work (basically vimeo has http links while our page is https so it >>>> throws >>>> a >>>> security exception) >>>> >>>> at the same time we need users with http://<website_name>.com/xyz to be >>>> redirected to https://<website_name>.com/xyz (this helps users login to >>>> secure application) >>>> >>>> so under my current configurations i cannot get the first part to work, >>>> basically (www.<website_name>.com works and stays http but when i type >>>> http://<website_name>.com it does a redirection to https) >>>> >>>> frontend http-in >>>> bind xx.xx.xx.xx:80 name http >>>> bind 10.xx.xx.xx:8000 name https # forwared by stunnel >>>> >>>> acl host_xx hdr_beg(host) -i xx.com >>>> use_backend xx-http if host_xx >>>> default_backend xx-https >>>> >>>> backend xx-http >>>> balance roundrobin >>>> cookie BALANCEID insert indirect nocache >>>> option http-server-close >>>> option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >>>> server xx-app1 xx.xx.xx.xx:80 cookie A check >>>> server xx-app6 xx.xx.xx.xx:80 cookie B check backup >>>> acl secure dst_port eq 8000 >>>> acl login_page url_beg /xyz >>>> redirect prefix https://xx.com if login_page !secure >>>> >>>> backend xx-https >>>> mode http >>>> balance roundrobin >>>> cookie BALANCEID insert indirect nocache >>>> option http-server-close >>>> # option forwardfor except 127.0.0.1 >>>> option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >>>> server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000 >>>> check >>>> server xx-app6 xx.xx.xx.xx:80 cookie s2 weight 1 maxconn 5000 >>>> check >>>> backup >>>> >>>> any suggestions? >>>> >>> >>> >>> >> >> >> > > > > > >
