Baptiste, Thanks for your help again. How would you recommend rewriting with HAProxy to do that on the fly? If you've got something that should work that's already written, that's easier than me trying to piece things together from different sources.
On Wed, May 28, 2014 at 9:00 AM, Baptiste <[email protected]> wrote: > On Wed, May 28, 2014 at 3:57 PM, Souda Burger <[email protected]> > wrote: > > Baptiste, > > > > Thanks for the heads up. Just to make sure I understand, you're saying > that > > my "balanced" application server, in this case a tomcat pair, needs to > > account for the header modification and it does not appear that it is > > currently doing that? If so, thanks for your help, I can take that to my > > developers! > > > > > > On Wed, May 28, 2014 at 8:45 AM, Baptiste <[email protected]> wrote: > >> > >> On Wed, May 28, 2014 at 3:00 PM, Souda Burger <[email protected]> > >> wrote: > >> > I have an haproxy server set up with a compiled 1.5-dev25 version of > >> > HaProxy. I am needing SSL and since SSL isn't available in 1.4, I > >> > compiled > >> > 1.5. I have everything working, but I noticed something peculiar and > >> > wasn't > >> > sure if this was expected behavior or not. Below is my SSL > haproxy.cfg > >> > file > >> > along with the wget that I performed against my websserver. It > appears > >> > to > >> > initially redirect HTTPS to HTTP which then rewrites the connection > back > >> > to > >> > HTTPS. Again, is this expected behavior or is something in my config > >> > incorrect? Thanks! > >> > > >> > global > >> > daemon > >> > log 127.0.0.1 local2 > >> > maxconn 4096 > >> > user haproxy > >> > group haproxy > >> > chroot /var/chroot/haproxy > >> > > >> > defaults > >> > log global > >> > mode http > >> > retries 3 > >> > option httplog > >> > option dontlognull > >> > option redispatch > >> > timeout server 50000 > >> > timeout client 50000 > >> > timeout connect 5000 > >> > > >> > frontend http_in > >> > > >> > bind *:80 > >> > default_backend portalbackend > >> > > >> > frontend https_in > >> > reqadd X-Forwarded-Proto:\ https > >> > bind *:443 ssl crt /etc/haproxy/haproxy.crt > >> > default_backend portalbackend > >> > > >> > backend portalbackend > >> > balance leastconn > >> > redirect scheme https if !{ ssl_fc } > >> > option httpchk GET /login.jsp > >> > option forwardfor > >> > option http-server-close > >> > server node1 <ip1>:8080 check inter 5000 > >> > server node2 <ip2>:8080 check inter 5000 > >> > > >> > > >> > > >> > 07:53:18 ~$ wget https://haproxy --no-check-certificate > >> > --2014-05-28 07:59:55-- https://haproxy/ > >> > Resolving haproxy... 192.168.8.213 > >> > Connecting to haproxy|192.168.8.213|:443... connected. > >> > WARNING: cannot verify haproxy's certificate, issued by > >> > '/CN=www.exceliance.fr': > >> > Self-signed certificate encountered. > >> > WARNING: certificate common name 'www.exceliance.fr' doesn't > match > >> > requested host name 'haproxy'. > >> > HTTP request sent, awaiting response... 302 Found > >> > Location: http://haproxy/login.jsp [following] > >> > --2014-05-28 07:59:55-- http://haproxy/login.jsp > >> > Connecting to haproxy|192.168.8.213|:80... connected. > >> > HTTP request sent, awaiting response... 302 Found > >> > Location: https://haproxy/login.jsp [following] > >> > --2014-05-28 07:59:55-- https://haproxy/login.jsp > >> > Reusing existing connection to haproxy:443. > >> > HTTP request sent, awaiting response... 200 OK > >> > Length: 7327 (7.2K) [text/html] > >> > Saving to: 'index.html.1' > >> > > >> > > >> > > 100%[=====================================================================================================================>] > >> > 7,327 --.-K/s in 0s > >> > > >> > 2014-05-28 07:59:55 (81.3 MB/s) - 'index.html.1' saved [7327/7327] > >> > > >> > >> > >> Hi Souda, > >> > >> The first 302 seems to be sent by your application server which does > >> not seems to take into account you "X-Forwarded-Proto" header. > >> > >> Baptiste > > > > > > Yes, this is what I meant. > Your application should read this header and write the redirect in > consequence. > The first 302 response should be "https://haproxy/login.jsp";. > > Or you could use HAProxy to rewrite it on the fly, but it's a dirty > workaround. > > Baptiste >
