On 8/6/14, 12:45 AM, "Baptiste" <[email protected]> wrote:
>On Tue, Aug 5, 2014 at 6:52 PM, Jon Fullmer <[email protected]> >wrote: >> No thoughts? Did I provide too much information? Not enough? >> >> - Jon >> >> From: Jon Fullmer <[email protected]> >> Date: Tuesday, July 29, 2014 at 3:54 PM >> To: "[email protected]" <[email protected]> >> Subject: http-response syntax >> >> I suspect I just don't understand "http-response"'s syntax, or I might >>have >> discovered a bug. >> >> What I'm trying to do: >> >> I need to have haproxy intercept backend server responses containing an >>HTTP >> Location header, and change the "http:" of the URL in the contents to >> "https:" IF the session is over SSL and IF the FQDN in the URL in the >> Location header is, say, "*.something.edu". >> >> Here's how I'm doing it today (inside the frontend), and it works: >> >> acl port-443 dst_port 443 >> rsprep ^(Location:\ http)(://[^/]*\.something\.edu.*) \1s\2 if port-443 >> >> Here's how I'd like to do it using "http-response": >> >> http-response replace-header Location (http)(://[^/]*\.something\.edu.*) >> \1s\2 if { ssl_fc } >> >> When I run an "haproxy -c" on the http-response config, I'm greeted >>with: >> >> [ALERT] 209/213332 (25548) : parsing [./haproxy.cfg:43]: 'http-request >> replace-header' expects exactly 3 arguments. >> >> When I remove the "if" portion at the end of the http-response line, it >> checks fine. I've tried it with multiple different "if" conditions >>(using >> various types of acls). If there is any "if" condition, the above error >> appears. >> >> It also concerns me that the error specifies "http-request >>replace-header", >> when the config is actually an "http-response replace-header", but that >> could just be simple typo. I'm more concerned that I can't seem to get >>it to >> accept an "if" condition. >> >> I'm very open to the explanation being "oh, well, you configured the >>line >> wrong; you forgot to...". I'm out of ideas, though. >> >> I'm using 1.5.1, but I've tried the config using 1.5.0 and 1.5.3, and >>the >> result is the same. Here's my build info (compiled on CentOS 6.5), if it >> makes a difference: >> >> ------------------------------- >> HA-Proxy version 1.5.3 2014/07/25 >> Copyright 2000-2014 Willy Tarreau <[email protected]> >> >> Build options : >> TARGET = linux2632 >> CPU = generic >> CC = gcc >> CFLAGS = -O2 -g -fno-strict-aliasing >> OPTIONS = USE_ZLIB=1 USE_POLL=default USE_OPENSSL=1 USE_PCRE=1 >> >> Default settings : >> maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = >>200 >> >> Encrypted password support via crypt(3): no >> Built with zlib version : 1.2.3 >> Compression algorithms supported : identity, deflate, gzip >> Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 >> Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 >> OpenSSL library supports TLS extensions : yes >> OpenSSL library supports SNI : yes >> OpenSSL library supports prefer-server-ciphers : yes >> Built with PCRE version : 7.8 2008-09-05 >> PCRE library supports JIT : no (USE_PCRE_JIT not set) >> Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND >> >> Available polling systems : >> poll : pref=200, test result OK >> select : pref=150, test result OK >> Total: 2 (2 usable), will use poll. >> ------------------------------- >> >> Any thoughts? >> >> - Jon >> >> >> >> NOTICE: This email message is for the sole use of the intended >>recipient(s) >> and may contain confidential and privileged information. Any >>unauthorized >> review, use, disclosure or distribution is prohibited. If you are not >>the >> intended recipient, please contact the sender by reply email and >>destroy all >> copies of the original message. >> >> >> >> >> NOTICE: This email message is for the sole use of the intended >>recipient(s) >> and may contain confidential and privileged information. Any >>unauthorized >> review, use, disclosure or distribution is prohibited. If you are not >>the >> intended recipient, please contact the sender by reply email and >>destroy all >> copies of the original message. >> >> > > >Hi Jon > >There has been a bug (fixed) in 1.5.0 and 1.5.1 on this feature. >It has been fixed here: >https://urldefense.proofpoint.com/v1/url?u=http://git.haproxy.org/?p%3Dhap >roxy.git%3Ba%3Dcommit%3Bh%3D92df370621b6e1286ef273310ad47371456a5cf0&k=wlP >CrglRP6kzT4RbABWMaw%3D%3D%0A&r=Ba5TSsfIG%2FGaAmYncsVzcofx4V7vYqn9mL8OSu2ZU >3A%3D%0A&m=uek8wOcPHbn1YGwAZ%2By%2FYXoYGT%2FChpg22z5KYhLeVlU%3D%0A&s=eaa40 >eaa1a949234128e6a37453e4b3af3f91fcda3b099a2d365773414c94fd5 > >So running 1.5.2 or 1.5.3 should be fine. >Please test again with a 1.5.3 binary. > >Baptiste Thanks for the reply, Baptiste. I probably put too much information in the first message, but here's an appropriate quote: "I'm using 1.5.1, but I've tried the config using 1.5.0 and 1.5.3, and the result is the same." The problem still exists in the 1.5.3 binary. - Jon NOTICE: This email message is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message.
