Sounds good, thanks!
On Wed, May 28, 2014 at 9:05 AM, Baptiste <bed...@gmail.com> wrote:
> On Wed, May 28, 2014 at 4:02 PM, Souda Burger <soudabur...@gmail.com>
> wrote:
> > Baptiste,
> >
> > Thanks for your help again. How would you recommend rewriting with
> HAProxy
> > to do that on the fly? If you've got something that should work that's
> > already written, that's easier than me trying to piece things together
> from
> > different sources.
> >
> >
> > On Wed, May 28, 2014 at 9:00 AM, Baptiste <bed...@gmail.com> wrote:
> >>
> >> On Wed, May 28, 2014 at 3:57 PM, Souda Burger <soudabur...@gmail.com>
> >> wrote:
> >> > Baptiste,
> >> >
> >> > Thanks for the heads up. Just to make sure I understand, you're
> saying
> >> > that
> >> > my "balanced" application server, in this case a tomcat pair, needs to
> >> > account for the header modification and it does not appear that it is
> >> > currently doing that? If so, thanks for your help, I can take that to
> >> > my
> >> > developers!
> >> >
> >> >
> >> > On Wed, May 28, 2014 at 8:45 AM, Baptiste <bed...@gmail.com> wrote:
> >> >>
> >> >> On Wed, May 28, 2014 at 3:00 PM, Souda Burger <soudabur...@gmail.com
> >
> >> >> wrote:
> >> >> > I have an haproxy server set up with a compiled 1.5-dev25 version
> of
> >> >> > HaProxy. I am needing SSL and since SSL isn't available in 1.4, I
> >> >> > compiled
> >> >> > 1.5. I have everything working, but I noticed something peculiar
> and
> >> >> > wasn't
> >> >> > sure if this was expected behavior or not. Below is my SSL
> >> >> > haproxy.cfg
> >> >> > file
> >> >> > along with the wget that I performed against my websserver. It
> >> >> > appears
> >> >> > to
> >> >> > initially redirect HTTPS to HTTP which then rewrites the connection
> >> >> > back
> >> >> > to
> >> >> > HTTPS. Again, is this expected behavior or is something in my
> config
> >> >> > incorrect? Thanks!
> >> >> >
> >> >> > global
> >> >> > daemon
> >> >> > log 127.0.0.1 local2
> >> >> > maxconn 4096
> >> >> > user haproxy
> >> >> > group haproxy
> >> >> > chroot /var/chroot/haproxy
> >> >> >
> >> >> > defaults
> >> >> > log global
> >> >> > mode http
> >> >> > retries 3
> >> >> > option httplog
> >> >> > option dontlognull
> >> >> > option redispatch
> >> >> > timeout server 50000
> >> >> > timeout client 50000
> >> >> > timeout connect 5000
> >> >> >
> >> >> > frontend http_in
> >> >> >
> >> >> > bind *:80
> >> >> > default_backend portalbackend
> >> >> >
> >> >> > frontend https_in
> >> >> > reqadd X-Forwarded-Proto:\ https
> >> >> > bind *:443 ssl crt /etc/haproxy/haproxy.crt
> >> >> > default_backend portalbackend
> >> >> >
> >> >> > backend portalbackend
> >> >> > balance leastconn
> >> >> > redirect scheme https if !{ ssl_fc }
> >> >> > option httpchk GET /login.jsp
> >> >> > option forwardfor
> >> >> > option http-server-close
> >> >> > server node1 <ip1>:8080 check inter 5000
> >> >> > server node2 <ip2>:8080 check inter 5000
> >> >> >
> >> >> >
> >> >> >
> >> >> > 07:53:18 ~$ wget https://haproxy --no-check-certificate
> >> >> > --2014-05-28 07:59:55-- https://haproxy/
> >> >> > Resolving haproxy... 192.168.8.213
> >> >> > Connecting to haproxy|192.168.8.213|:443... connected.
> >> >> > WARNING: cannot verify haproxy's certificate, issued by
> >> >> > '/CN=www.exceliance.fr':
> >> >> > Self-signed certificate encountered.
> >> >> > WARNING: certificate common name 'www.exceliance.fr' doesn't
> >> >> > match
> >> >> > requested host name 'haproxy'.
> >> >> > HTTP request sent, awaiting response... 302 Found
> >> >> > Location: http://haproxy/login.jsp [following]
> >> >> > --2014-05-28 07:59:55-- http://haproxy/login.jsp
> >> >> > Connecting to haproxy|192.168.8.213|:80... connected.
> >> >> > HTTP request sent, awaiting response... 302 Found
> >> >> > Location: https://haproxy/login.jsp [following]
> >> >> > --2014-05-28 07:59:55-- https://haproxy/login.jsp
> >> >> > Reusing existing connection to haproxy:443.
> >> >> > HTTP request sent, awaiting response... 200 OK
> >> >> > Length: 7327 (7.2K) [text/html]
> >> >> > Saving to: 'index.html.1'
> >> >> >
> >> >> >
> >> >> >
> >> >> >
> 100%[=====================================================================================================================>]
> >> >> > 7,327 --.-K/s in 0s
> >> >> >
> >> >> > 2014-05-28 07:59:55 (81.3 MB/s) - 'index.html.1' saved [7327/7327]
> >> >> >
> >> >>
> >> >>
> >> >> Hi Souda,
> >> >>
> >> >> The first 302 seems to be sent by your application server which does
> >> >> not seems to take into account you "X-Forwarded-Proto" header.
> >> >>
> >> >> Baptiste
> >> >
> >> >
> >>
> >> Yes, this is what I meant.
> >> Your application should read this header and write the redirect in
> >> consequence.
> >> The first 302 response should be "https://haproxy/login.jsp";.
> >>
> >> Or you could use HAProxy to rewrite it on the fly, but it's a dirty
> >> workaround.
> >>
> >> Baptiste
> >
> >
>
> Look for rspirep in the documentation there is an example about the
> Location header.
>
> Baptiste
>
