On Tue, Aug 5, 2014 at 6:52 PM, Jon Fullmer <[email protected]> wrote: > No thoughts? Did I provide too much information? Not enough? > > - Jon > > From: Jon Fullmer <[email protected]> > Date: Tuesday, July 29, 2014 at 3:54 PM > To: "[email protected]" <[email protected]> > Subject: http-response syntax > > I suspect I just don't understand "http-response"'s syntax, or I might have > discovered a bug. > > What I'm trying to do: > > I need to have haproxy intercept backend server responses containing an HTTP > Location header, and change the "http:" of the URL in the contents to > "https:" IF the session is over SSL and IF the FQDN in the URL in the > Location header is, say, "*.something.edu". > > Here's how I'm doing it today (inside the frontend), and it works: > > acl port-443 dst_port 443 > rsprep ^(Location:\ http)(://[^/]*\.something\.edu.*) \1s\2 if port-443 > > Here's how I'd like to do it using "http-response": > > http-response replace-header Location (http)(://[^/]*\.something\.edu.*) > \1s\2 if { ssl_fc } > > When I run an "haproxy -c" on the http-response config, I'm greeted with: > > [ALERT] 209/213332 (25548) : parsing [./haproxy.cfg:43]: 'http-request > replace-header' expects exactly 3 arguments. > > When I remove the "if" portion at the end of the http-response line, it > checks fine. I've tried it with multiple different "if" conditions (using > various types of acls). If there is any "if" condition, the above error > appears. > > It also concerns me that the error specifies "http-request replace-header", > when the config is actually an "http-response replace-header", but that > could just be simple typo. I'm more concerned that I can't seem to get it to > accept an "if" condition. > > I'm very open to the explanation being "oh, well, you configured the line > wrong; you forgot to...". I'm out of ideas, though. > > I'm using 1.5.1, but I've tried the config using 1.5.0 and 1.5.3, and the > result is the same. Here's my build info (compiled on CentOS 6.5), if it > makes a difference: > > ------------------------------- > HA-Proxy version 1.5.3 2014/07/25 > Copyright 2000-2014 Willy Tarreau <[email protected]> > > Build options : > TARGET = linux2632 > CPU = generic > CC = gcc > CFLAGS = -O2 -g -fno-strict-aliasing > OPTIONS = USE_ZLIB=1 USE_POLL=default USE_OPENSSL=1 USE_PCRE=1 > > Default settings : > maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 > > Encrypted password support via crypt(3): no > Built with zlib version : 1.2.3 > Compression algorithms supported : identity, deflate, gzip > Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 > Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports prefer-server-ciphers : yes > Built with PCRE version : 7.8 2008-09-05 > PCRE library supports JIT : no (USE_PCRE_JIT not set) > Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND > > Available polling systems : > poll : pref=200, test result OK > select : pref=150, test result OK > Total: 2 (2 usable), will use poll. > ------------------------------- > > Any thoughts? > > - Jon > > > > NOTICE: This email message is for the sole use of the intended recipient(s) > and may contain confidential and privileged information. Any unauthorized > review, use, disclosure or distribution is prohibited. If you are not the > intended recipient, please contact the sender by reply email and destroy all > copies of the original message. > > > > > NOTICE: This email message is for the sole use of the intended recipient(s) > and may contain confidential and privileged information. Any unauthorized > review, use, disclosure or distribution is prohibited. If you are not the > intended recipient, please contact the sender by reply email and destroy all > copies of the original message. > >
Hi Jon There has been a bug (fixed) in 1.5.0 and 1.5.1 on this feature. It has been fixed here: http://git.haproxy.org/?p=haproxy.git;a=commit;h=92df370621b6e1286ef273310ad47371456a5cf0 So running 1.5.2 or 1.5.3 should be fine. Please test again with a 1.5.3 binary. Baptiste
