On Fri, Aug 8, 2014 at 4:32 PM, Jon Fullmer <[email protected]> wrote: > On 8/6/14, 12:45 AM, "Baptiste" <[email protected]> wrote: > > >>On Tue, Aug 5, 2014 at 6:52 PM, Jon Fullmer <[email protected]> >>wrote: >>> No thoughts? Did I provide too much information? Not enough? >>> >>> - Jon >>> >>> From: Jon Fullmer <[email protected]> >>> Date: Tuesday, July 29, 2014 at 3:54 PM >>> To: "[email protected]" <[email protected]> >>> Subject: http-response syntax >>> >>> I suspect I just don't understand "http-response"'s syntax, or I might >>>have >>> discovered a bug. >>> >>> What I'm trying to do: >>> >>> I need to have haproxy intercept backend server responses containing an >>>HTTP >>> Location header, and change the "http:" of the URL in the contents to >>> "https:" IF the session is over SSL and IF the FQDN in the URL in the >>> Location header is, say, "*.something.edu". >>> >>> Here's how I'm doing it today (inside the frontend), and it works: >>> >>> acl port-443 dst_port 443 >>> rsprep ^(Location:\ http)(://[^/]*\.something\.edu.*) \1s\2 if port-443 >>> >>> Here's how I'd like to do it using "http-response": >>> >>> http-response replace-header Location (http)(://[^/]*\.something\.edu.*) >>> \1s\2 if { ssl_fc } >>> >>> When I run an "haproxy -c" on the http-response config, I'm greeted >>>with: >>> >>> [ALERT] 209/213332 (25548) : parsing [./haproxy.cfg:43]: 'http-request >>> replace-header' expects exactly 3 arguments. >>> >>> When I remove the "if" portion at the end of the http-response line, it >>> checks fine. I've tried it with multiple different "if" conditions >>>(using >>> various types of acls). If there is any "if" condition, the above error >>> appears. >>> >>> It also concerns me that the error specifies "http-request >>>replace-header", >>> when the config is actually an "http-response replace-header", but that >>> could just be simple typo. I'm more concerned that I can't seem to get >>>it to >>> accept an "if" condition. >>> >>> I'm very open to the explanation being "oh, well, you configured the >>>line >>> wrong; you forgot to...". I'm out of ideas, though. >>> >>> I'm using 1.5.1, but I've tried the config using 1.5.0 and 1.5.3, and >>>the >>> result is the same. Here's my build info (compiled on CentOS 6.5), if it >>> makes a difference: >>> >>> ------------------------------- >>> HA-Proxy version 1.5.3 2014/07/25 >>> Copyright 2000-2014 Willy Tarreau <[email protected]> >>> >>> Build options : >>> TARGET = linux2632 >>> CPU = generic >>> CC = gcc >>> CFLAGS = -O2 -g -fno-strict-aliasing >>> OPTIONS = USE_ZLIB=1 USE_POLL=default USE_OPENSSL=1 USE_PCRE=1 >>> >>> Default settings : >>> maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = >>>200 >>> >>> Encrypted password support via crypt(3): no >>> Built with zlib version : 1.2.3 >>> Compression algorithms supported : identity, deflate, gzip >>> Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 >>> Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 >>> OpenSSL library supports TLS extensions : yes >>> OpenSSL library supports SNI : yes >>> OpenSSL library supports prefer-server-ciphers : yes >>> Built with PCRE version : 7.8 2008-09-05 >>> PCRE library supports JIT : no (USE_PCRE_JIT not set) >>> Built with transparent proxy support using: IP_TRANSPARENT IP_FREEBIND >>> >>> Available polling systems : >>> poll : pref=200, test result OK >>> select : pref=150, test result OK >>> Total: 2 (2 usable), will use poll. >>> ------------------------------- >>> >>> Any thoughts? >>> >>> - Jon >>> >>> >>> >>> NOTICE: This email message is for the sole use of the intended >>>recipient(s) >>> and may contain confidential and privileged information. Any >>>unauthorized >>> review, use, disclosure or distribution is prohibited. If you are not >>>the >>> intended recipient, please contact the sender by reply email and >>>destroy all >>> copies of the original message. >>> >>> >>> >>> >>> NOTICE: This email message is for the sole use of the intended >>>recipient(s) >>> and may contain confidential and privileged information. Any >>>unauthorized >>> review, use, disclosure or distribution is prohibited. If you are not >>>the >>> intended recipient, please contact the sender by reply email and >>>destroy all >>> copies of the original message. >>> >>> >> >> >>Hi Jon >> >>There has been a bug (fixed) in 1.5.0 and 1.5.1 on this feature. >>It has been fixed here: >>https://urldefense.proofpoint.com/v1/url?u=http://git.haproxy.org/?p%3Dhap >>roxy.git%3Ba%3Dcommit%3Bh%3D92df370621b6e1286ef273310ad47371456a5cf0&k=wlP >>CrglRP6kzT4RbABWMaw%3D%3D%0A&r=Ba5TSsfIG%2FGaAmYncsVzcofx4V7vYqn9mL8OSu2ZU >>3A%3D%0A&m=uek8wOcPHbn1YGwAZ%2By%2FYXoYGT%2FChpg22z5KYhLeVlU%3D%0A&s=eaa40 >>eaa1a949234128e6a37453e4b3af3f91fcda3b099a2d365773414c94fd5 >> >>So running 1.5.2 or 1.5.3 should be fine. >>Please test again with a 1.5.3 binary. >> >>Baptiste > > Thanks for the reply, Baptiste. I probably put too much information in the > first message, but here's an appropriate quote: "I'm using 1.5.1, but I've > tried the config using 1.5.0 and 1.5.3, and the > result is the same." > > The problem still exists in the 1.5.3 binary. > > - Jon > > > NOTICE: This email message is for the sole use of the intended recipient(s) > and may contain confidential and privileged information. Any unauthorized > review, use, disclosure or distribution is prohibited. If you are not the > intended recipient, please contact the sender by reply email and destroy all > copies of the original message. >
My misunderstood. Your double bug is in the response. Please give a try to the patch attached. Baptiste
0001-BUGFIX-Error-http-response-replace-header-number-of-.patch
Description: Binary data
