I suspect I just don't understand "http-response"'s syntax, or I might have
discovered a bug.
What I'm trying to do:
I need to have haproxy intercept backend server responses containing an HTTP
Location header, and change the "http:" of the URL in the contents to "https:"
IF the session is over SSL and IF the FQDN in the URL in the Location header
is, say, "*.something.edu".
Here's how I'm doing it today (inside the frontend), and it works:
acl port-443 dst_port 443
rsprep ^(Location:\ http)(://[^/]*\.something\.edu.*) \1s\2 if port-443
Here's how I'd like to do it using "http-response":
http-response replace-header Location (http)(://[^/]*\.something\.edu.*) \1s\2
if { ssl_fc }
When I run an "haproxy -c" on the http-response config, I'm greeted with:
[ALERT] 209/213332 (25548) : parsing [./haproxy.cfg:43]: 'http-request
replace-header' expects exactly 3 arguments.
When I remove the "if" portion at the end of the http-response line, it checks
fine. I've tried it with multiple different "if" conditions (using various
types of acls). If there is any "if" condition, the above error appears.
It also concerns me that the error specifies "http-request replace-header",
when the config is actually an "http-response replace-header", but that could
just be simple typo. I'm more concerned that I can't seem to get it to accept
an "if" condition.
I'm very open to the explanation being "oh, well, you configured the line
wrong; you forgot to...". I'm out of ideas, though.
I'm using 1.5.1, but I've tried the config using 1.5.0 and 1.5.3, and the
result is the same. Here's my build info (compiled on CentOS 6.5), if it makes
a difference:
-------------------------------
HA-Proxy version 1.5.3 2014/07/25
Copyright 2000-2014 Willy Tarreau <[email protected]>
Build options :
TARGET = linux2632
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing
OPTIONS = USE_ZLIB=1 USE_POLL=default USE_OPENSSL=1 USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): no
Built with zlib version : 1.2.3
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 7.8 2008-09-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND
Available polling systems :
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 2 (2 usable), will use poll.
-------------------------------
Any thoughts?
- Jon
NOTICE: This email message is for the sole use of the intended recipient(s)
and may contain confidential and privileged information. Any unauthorized
review, use, disclosure or distribution is prohibited. If you are not the
intended recipient, please contact the sender by reply email and destroy all
copies of the original message.
