I tested a little more... You're right, redirect is done before the use-server independent on the position of these commands in the configuration file (this is clear in the manual for use-server), but there is another problem: as I can test, resp<action> is not done if acl work on request data, i think haproxy work separately on request / response. So below two lines cannot work without a state table or something like that:
acl ass1 path_beg -i /something --> path based on request rspadd X-YES-TEST:\ TEST1__YES if ass1 --> manipulation of the response Also, call "app_ass_UNIQUE_web1_" = fake URL Path use-server does not change cookie persistence (does not change client cookie with that configured for the used-server), so as soon as the fake URL Path is removed before sending request to backend server or backend server redirect or something like that haproxy cannot found anymore the fake URL Path and cannot send the request to the some server, persistent cookie works separately from use-server, so can be different from that specified in use-server. These 2 thing together make impossible to use a Fake URL Path to choice a backend server without doing something on the client or/and the backend server part (adding a test page that set a cookie on backend server, set in some manner the persistent cookie on the client, etc.). Can be very useful to can do persistence based on a fake request without create fake backend with single backend server that can probably be a solution, but not very scalable: 1. Can do request - response relation as rspadd example above. 2. Can do use-server before redirect and can choice to persist cookie for backend server directed by use-server 3. Another possible solution can be Haproxy doing like persistence cookie hide Fake URL Path from request to backend server but maintain the Fake URl Path in the response, so for specific URL haproxy can manage this behavior, allowing actual haroxy rules to be used as client send always the Fake URL Path without break the client-server communications. Tell me if I'm wrong and if there is a possibility to ad such feature if is not just present. Thank you very much. Roberto From: mlist Sent: venerdì 31 luglio 2015 22.18 To: 'Cyril Bonté'; [email protected] Subject: RE: use_server This is the haproxy configuration file. I don't know if the acl or the use-server do not match... I do not have any tool to check what of two does not work. Example URL to use server web1: http://www.mydom1.net/app1/app_ass_UNIQUE_web1_ Example URL to use server web4: http://www.mydom1.net/app1/app_ass_UNIQUE_web4_ Example URL to use server web10: http://www.mydom1.net/app1/app_ass_UNIQUE_web10_ Thank you for your help... #--------------------------------------------------------------------- # Global Settings #--------------------------------------------------------------------- global log 127.0.0.1:514 local0 chroot /var/lib/haproxy pidfile /var/run/haproxy.pid maxconn 10000 daemon quiet tune.ssl.default-dh-param 2048 # turn on stats unix socket stats socket /var/lib/haproxy/stats ssl-default-bind-options no-sslv3 #--------------------------------------------------------------------- # Common Defaults that all the listen and backend # will use if not designated in their block #--------------------------------------------------------------------- defaults mode http log global option httplog option dontlognull option http-server-close option forwardfor except 127.0.0.0/8 option redispatch retries 3 timeout http-request 10s timeout queue 1m timeout connect 10s timeout client 1m timeout server 5m timeout http-keep-alive 10s timeout check 10s maxconn 10000 stats enable stats uri /haproxy_Stats #--------------------------------------------------------------------- # Mailer Configuration #--------------------------------------------------------------------- mailers aaamailer1 mailer smtp1 172.16.0.x:2025 #--------------------------------------------------------------------- # Main Frontend #--------------------------------------------------------------------- frontend main_fe mode http bind *:80 bind *:443 ssl crt /etc/pki/tls/haproxy.cert/haproxy_ucc.pem crt /etc/pki/tls/haproxy.cert ciphers ECDHE-RSA-AES256-SHA:RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM ### Redirect specific request to https option forwardfor option http-server-close http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } acl backend_down nbsrv(def_backend) lt 1 monitor fail if backend_down monitor-uri /haproxy_check acl dom_demo hdr_dom(host) -i demo.mydom1.net acl mydemo path_beg -i /Demo1 use_backend sic_demo_be if dom_demo mydemo use_backend hsic_demo_be if dom_demo !mydemo acl leave_http hdr_dom(host) -i www.extdom1.it<http://www.extdom1.it> acl leave_http hdr_dom(host) -i www.extdom2.it<http://www.extdom2.it> acl leave_http hdr_dom(host) -i upd.mydom1.net redirect scheme https if !leave_http !{ ssl_fc } ### for debug only ### ### response debug info acl id_web1 srv_id 1 acl id_web4 srv_id 4 acl id_web10 srv_id 10 acl id_demo1_tom srv_id 200 acl id_demo1_iis srv_id 201 rspadd X-APS-Servedby:\ web1 if id_web1 rspadd X-APS-Servedby:\ web4 if id_web4 rspadd X-APS-Servedby:\ web10 if id_web10 rspadd X-APS-Servedby:\ demo1_tom if id_demo1_tom rspadd X-APS-Servedby:\ demo1_iis if id_demo1_iis default_backend def_backend #--------------------------------------------------------------------- # Main Backend #--------------------------------------------------------------------- backend def_backend mode http balance roundrobin ### Cookie Insert Method cookie ha_srvid insert indirect nocache email-alert mailers aaamailer1 email-alert from aps."$haproxy_hostname"@mydom.it email-alert to [email protected]<mailto:[email protected]> email-alert myhostname smtp1 email-alert level info ### app1 persistence acl c_web1 hdr_sub(cookie) ha_srvid=web1_ acl c_web4 hdr_sub(cookie) ha_srvid=web4_ acl c_web10 hdr_sub(cookie) ha_srvid=web10_ reqadd X-APS-Backend-Server:\ web1_ if c_web1 reqadd X-APS-Backend-Server:\ web4_ if c_web4 reqadd X-APS-Backend-Server:\ web10_ if c_web10 # acl aps_ass_web1 path_reg (.*)\/app_ass_UNIQUE_web1_(.*) acl aps_ass_web1 path_end /app_ass_UNIQUE_web1_ # acl aps_ass_web4 path_reg (.*)\/app_ass_UNIQUE_web4_(.*) acl aps_ass_web4 path_end /app_ass_UNIQUE_web4_ # acl aps_ass_web10 path_reg (.*)\/app_ass_UNIQUE_web10_(.*) acl aps_ass_web10 path_end /app_ass_UNIQUE_web10_ use-server web1 if aps_ass_web1 use-server web4 if aps_ass_web4 use-server web10 if aps_ass_web10 reqirep (.*)\/app_ass_UNIQUE_web[0-9]*_(.*) \1\2 server web1 192.168.1.50:80 check inter 5s weight 50 id 1 cookie web1_ server web4 192.168.1.54:80 check inter 5s weight 50 id 4 cookie web4_ server web10 192.168.1.53:80 check inter 5s weight 50 id 10 cookie web10_ #--------------------------------------------------------------------- # Sic Demo Backend #--------------------------------------------------------------------- backend sic_demo_be mode http balance roundrobin cookie ha_srvid insert indirect nocache email-alert mailers aaamailer1 email-alert from aps."$haproxy_hostname"@mydom.it email-alert to [email protected]<mailto:[email protected]> email-alert myhostname smtp1 email-alert level info reqirep (.*)\/demo1(.*) \1/Demo1\2 redirect scheme https if !{ ssl_fc } server demo1 192.168.1.x:8080 check inter 5s weight 50 id 200 cookie demo1_tom #--------------------------------------------------------------------- # HSic Demo Backend #--------------------------------------------------------------------- backend hsic_demo_be mode http balance roundrobin cookie ha_srvid insert indirect nocache email-alert mailers aaamailer1 email-alert from aps."$haproxy_hostname"@mydom.it email-alert to [email protected]<mailto:[email protected]> email-alert myhostname smtp1 email-alert level info redirect scheme https if !{ ssl_fc } server demo1 192.168.1.x:80 check inter 5s weight 50 id 201 cookie demo1_iis Roberto -----Original Message----- From: Cyril Bonté [mailto:[email protected]] Sent: mercoledì 29 luglio 2015 16.33 To: mlist; [email protected]<mailto:[email protected]> Subject: Re: use_server Hi, On 29/07/2015 13:07, mlist wrote: > We have 3 backend servers balanced with haproxy with "cookie insert" option > and ssl redirection. > For our help desk, we need operators can access a specific backend server to > check specific server when we have problems on this backend server. > > We try to do that with the following section, so no hosts file nor DNS > mapping and special binding on backend servers are needed to access specific > backend server, maintaining the right cookie after use_server. > > We have 3 backend servers: web1, web4 and web10. We want to go on: > web1 if in the URL haproxy find " aps_ass_UNIQUE_web1_" -> ex: > http://<mydomain>/app1/aps_ass_UNIQUE_web1_<http://%3cmydomain%3e/app1/aps_ass_UNIQUE_web1_> > web4 if in the URL haproxy find " aps_ass_UNIQUE_web4_" -> ex: > http://<mydomain>/app1/aps_ass_UNIQUE_web4_<http://%3cmydomain%3e/app1/aps_ass_UNIQUE_web4_> > web4 if in the URL haproxy find " aps_ass_UNIQUE_web10_" -> ex: > http://<mydomain>/app1/aps_ass_UNIQUE_web10_<http://%3cmydomain%3e/app1/aps_ass_UNIQUE_web10_> > > Following configuration does not work, can you help to identify a solution ? > > acl aps_ass_web1 path_reg (.*)\/aps_ass_UNIQUE_web1_(.*) > acl aps_ass_web4 path_reg (.*)\/aps_ass_UNIQUE_web4_(.*) > acl aps_ass_web10 path_reg (.*)\/aps_ass_UNIQUE_web10_(.*) > reqirep (.*)\/aps_ass_UNIQUE_web[0-9]*_(.*) \1\2 > use-server web1 if aps_ass_web1 > use-server web4 if aps_ass_web4 > use-server web10 if aps_ass_web10 I see several issues here. 1. One you haven't met yet : your "reqirep" pattern will delete the "/" at the beginning, which may produce some "400 Bad Request" on the backend. Example : GET /aps_ass_UNIQUE_web1_index.html HTTP/1.1 will be replaced by GET index.html HTTP/1.1 2. reqirep is executed *BEFORE* the evaluation of user-server. So the routing information has already disappeared when it is time to choose a server with "use-server". 3. Without any other details (please provide a more complete configuration next time), I assume that you'll meet another issue due to cookie persistence. You'll probably want to have a look to "force-persist". Why not choosing a combination of cookie persistence and force-persist instead of doing some magic with the urls ? -- Cyril Bonté -- Il messaggio e' stato analizzato alla ricerca di virus o contenuti pericolosi da MailScanner, ed e' risultato non infetto.
