On Mon, Aug 17, 2015 at 9:54 AM, Lukas Erlacher <[email protected]> wrote: > Hello, > > I'm a new haproxy user (using haproxy 1.5) and I'm running into a few > hitches. > > I made a stats backend: > >> backend bk_stats >> log global >> mode http >> stats enable >> stats uri / >> stats scope ft_submission >> stats scope bk_postfix > > > And because I wanted to have users authed by ssl client certificate, I put > some http-response add-header statements into the frontend for debugging: > >> frontend ft_stats >> log global >> mode http >> bind 131.159.42.4:443 ssl crt myserver.combined.key.pem ca-file >> mycafile.pem verify required no-sslv3 no-tlsv10 no-tlsv11 >> http-response add-header X-SSL-Client-CN %[ssl_c_s_dn(cn)] >> http-response add-header X-SSL-Client-E >> %[ssl_c_s_dn(emailAddress)] >> http-response add-header X-SSL-Client-DN %[ssl_c_s_dn] >> acl cn_allowed ssl_c_s_dn(emailAddress) -f >> /etc/haproxy/haproxy_admins >> #acl cn_allowed always_true >> use_backend bk_ssl_error unless cn_allowed >> default_backend bk_stats > > > However, these headers won't show up in the response. They also won't show > up if I put the add-header statements into the backend. It seems that "stats > enable" disregards http-response lines. There is a "stats http-request" > option but that doesn't allow adding any headers. > > As a workaround I just shimmed in another frontend and backend where I put > the http-request add-header lines. [1] > > I believe that this is a bug, at least in the way that nothing in the > documentation hints that "http-request add-header" in a /frontend/ will be > ignored if the /backend/ has stats enabled. In fact, the documentation for > http-response [2] states > >> Since these rules apply on responses, the backend >> rules are applied first, followed by the frontend's rules. > > > So whatever response the backend delivers to the frontend should have no > influence on the headers being added by the frontend. > > Can anyone more experienced with haproxy tell me if this is really a bug or > if I am just doing something wrong? > > Best regards, > Luke > > [1] http://ix.io/kiO > [2] > https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-http-response >
Hi Lukas, Actually, you're setting response headers with data available only at the request time. This is not possible in HAProxy 1.5 This will be possible in HAProxy 1.6 using the capture statement. Baptiste
