Dear Igor and Aleks,

Thank you for your insights.  Very useful to us, as we are implementing
HAProxy for the first time. Below we have described how we have implemented your advise and the result. Output of "haproxy -vv" is given at end.

We have also provided the configuration file and relevant logs. We would appreciate any insights to replace the internal IP address occurring in server-response URL with the externally valid domain name either by using the rewriting of Location and Host headers or the complete URL, using %HP.

We would like to access Product1 via URL:
https://coscend.com:14443/Product1/
Output URL from the Product1 server should be:
https://coscend.com:14443/Product1/signin?xyz

what we are getting:   http://Internal_IP:14443/Product1/signin?xyz

----------
Responses to your insights / questions

@ Aleks:  Yes, Tomcat has a reverse proxy setting for our Product1.  Can we
not have two reverse proxies to Product1?

@Igor,

(1) As you rightly pointed out, we are getting http, not https

(2) As you advised, we moved these two lines from backend to frontend, but did not find any change.

    acl hdr_location res.hdr(Location) -m found
    rspirep ^(Location:)\ (https?://([^/]*))/(.*)$    \1\
http://\3/Product1/\4 if hdr_location

(3) Configuration file

global
    log         127.0.0.1 local2
    log-tag     haproxy
    chroot      /var/haproxy/lib
    pidfile     /var/run/haproxy.pid
    user        haproxy
    group       haproxy
    nbproc      1
    maxconn     5000
    spread-checks 5
    daemon
    #debug
    stats socket  /var/haproxy/lib/stats

    ######
    #   SSL section
    ######
    maxsslconn     256
    tune.ssl.default-dh-param 4096
    ca-base /path/to/directory/of/server.pem


#---------------------------------------------------------------------
# Defaults
#---------------------------------------------------------------------
defaults
    mode        http
    log         global
    option      httplog
    option      forwardfor
    option      abortonclose
    option      http-server-close
    option      redispatch
    retries     3
    timeout queue           10s
    timeout client          50000ms
    timeout server          50000ms
    timeout connect         5000ms
    timeout http-keep-alive 10s
    timeout http-request    5s
    timeout check           10s
    maxconn                 50000

frontend webapps-frontend
    bind          *:80 name http
    bind          *:443 name https ssl crt /path/to/server.pem

    log           global
    option        forwardfor
    option        httplog clf

    reqadd X-Forwarded-Proto:\ https if { ssl_fc }
    reqadd X-Forwarded-Proto:\ http if !{ ssl_fc }
    #http-request add-header X-Forwarded-Proto:\ https if { ssl_fc }  #
Don't know how to use it instead of reqadd
    #http-request add-header X-Forwarded-Proto:\ http if !{ ssl_fc }   #
Don't know how to use it instead of reqadd

    acl host_https    req.hdr(Host) coscend.com:14443  # 14443 is due to
port forwarding deployment
    acl path_subdomain_p1 path_beg -i /Product1

    use_backend subdomain_p1-backend if host_https path_subdomain_p1

backend subdomain_p1-backend
    http-request set-header Host <internal_IPxx.yy.zz.ww:portpppp>
    reqirep ^([^\ ]*)\ /Product1/?([^\ ]*)\ (.*)$       \1\ /Product1\2\ \3

    acl hdr_location res.hdr(Location) -m found
#http-response replace-header Host (.*) %%HP if hdr_location # This is
not working
    rspirep ^(Location:)\ (https?://([^/]*))/(.*)$    \1\
http://\3/Product1/\4 if hdr_location

    server Product1.VM0 <internal_IPxx.yy.zz.ww:portpppp> cookie c check

listen stats 10.10.10.51:8885
    stats         enable
    stats auth    [username]:[password]
    stats         hide-version
    stats         show-node
    stats         uri /stats
    stats realm Haproxy\ Statistics
    monitor-uri /monitor
    stats refresh 10s
    stats         show-legends

Notice.log
Oct  7 15:42:34 localhost haproxy[12886]: Proxy webapps-frontend started.
Oct  7 15:42:34 localhost haproxy[12886]: Proxy webapps-frontend started.
Oct  7 15:42:34 localhost haproxy[12886]: Proxy webapps-backend started.
Oct  7 15:42:34 localhost haproxy[12886]: Proxy webapps-backend started..
Oct  7 15:42:34 localhost haproxy[12886]: Proxy subdomain_p1-backend
started.
Oct  7 15:42:34 localhost haproxy[12886]: Proxy Test-stats started.


Info.log
Oct  7 15:42:44 localhost haproxy[12887]: 192.168.100.153:58163
[07/Oct/2015:15:42:44.455] Test-stats Test-stats/<STATS> 12/0/0/0/12 200
29869 - - LR-- 1/1/0/0/0 0/0 "GET /stats HTTP/1.1"
Oct  7 15:42:44 localhost haproxy[12887]: 192.168.100.153:58163
[07/Oct/2015:15:42:44.467] Test-stats Test-stats/<NOSRV> 154/-1/-1/-1/154
503 213 - - SC-- 0/0/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"
Oct  7 15:42:54 localhost haproxy[12887]: 192.168.100.153:58164
[07/Oct/2015:15:42:54.571] Test-stats Test-stats/<STATS> 7/0/0/0/7 200 29930
- - LR-- 1/1/0/0/0 0/0 "GET /stats HTTP/1.1"
Oct  7 15:42:54 localhost haproxy[12887]: 192.168.100.153:58164
[07/Oct/2015:15:42:54.579] Test-stats Test-stats/<NOSRV> 175/-1/-1/-1/175
503 213 - - SC-- 0/0/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"
Oct  7 15:43:04 localhost haproxy[12887]: 192.168.100.153:58166
[07/Oct/2015:15:43:04.678] Test-stats Test-stats/<STATS> 5/0/0/0/6 200 29983
- - LR-- 1/1/0/0/0 0/0 "GET /stats HTTP/1.1"
Oct  7 15:43:04 localhost haproxy[12887]: 192.168.100.153:58166
[07/Oct/2015:15:43:04.684] Test-stats Test-stats/<NOSRV> 78/-1/-1/-1/78 503
213 - - SC-- 0/0/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"
Oct  7 15:43:05 localhost haproxy[12887]: 192.168.100.153 - -
[07/Oct/2015:20:43:05 +0000] "<BADREQ>" 400 188 "" "" 58168 734
"webapps-frontend~" "webapps-frontend" "<NOSRV>" -1 -1 -1 -1 57 CR-- 1 1 0 0
0 0 0 "" ""
Oct  7 15:43:05 localhost haproxy[12887]: 192.168.100.153 - -
[07/Oct/2015:20:43:05 +0000] "<BADREQ>" 400 188 "" "" 58168 734
"webapps-frontend~" "webapps-frontend" "<NOSRV>" -1 -1 -1 -1 57 CR-- 1 1 0 0
0 0 0 "" ""
Oct  7 15:43:05 localhost haproxy[12887]: 192.168.100.153 - -
[07/Oct/2015:20:43:05 +0000] "<BADREQ>" 400 188 "" "" 58169 766
"webapps-frontend~" "webapps-frontend" "<NOSRV>" -1 -1 -1 -1 26 CR-- 0 0 0 0
0 0 0 "" ""
Oct  7 15:43:05 localhost haproxy[12887]: 192.168.100.153 - -
[07/Oct/2015:20:43:05 +0000] "<BADREQ>" 400 188 "" "" 58169 766
"webapps-frontend~" "webapps-frontend" "<NOSRV>" -1 -1 -1 -1 26 CR-- 0 0 0 0
0 0 0 "" ""
Oct  7 15:43:06 localhost haproxy[12887]: 192.168.100.153 - -
[07/Oct/2015:20:43:06 +0000] "<BADREQ>" 400 188 "" "" 58170 068
"webapps-frontend~" "webapps-frontend" "<NOSRV>" -1 -1 -1 -1 42 CR-- 0 0 0 0
0 0 0 "" ""
Oct  7 15:43:06 localhost haproxy[12887]: 192.168.100.153 - -
[07/Oct/2015:20:43:06 +0000] "<BADREQ>" 400 188 "" "" 58170 068
"webapps-frontend~" "webapps-frontend" "<NOSRV>" -1 -1 -1 -1 42 CR-- 0 0 0 0
0 0 0 "" ""
Oct  7 15:43:06 localhost haproxy[12887]: 192.168.100.153 - -
[07/Oct/2015:20:43:06 +0000] "GET /Product1 HTTP/1.1" 302 184 "" "" 58171
114 "webapps-frontend~" "subdomain_p1-backend" "Product1.VM0" 36 0 0 4 40
---- 1 1 0 1 0 0 0 "" ""
Oct  7 15:43:06 localhost haproxy[12887]: 192.168.100.153 - -
[07/Oct/2015:20:43:06 +0000] "GET /Product1 HTTP/1.1" 302 184 "" "" 58171
114 "webapps-frontend~" "subdomain_p1-backend" "Product1.VM0" 36 0 0 4 40
---- 1 1 0 1 0 0 0 "" ""

===========================

Output of "haproxy -vv":

HA-Proxy version 1.5.14 2015/07/02
Copyright 2000-2015 Willy Tarreau <wi...@haproxy.org>

Build options :
  TARGET  = linux2628
  CPU     = native
  CC      = gcc
  CFLAGS  = -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing
OPTIONS = USE_CTTPROXY=1 USE_LIBCRYPT=1 USE_CRYPT_H=1 USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_TFO=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : yes
Built with transparent proxy support using: CTTPROXY IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.



--
Sincerely,

Susheel Jalali

Coscend Communications Solutions
Web site: www(DOT)Coscend(DOT)com
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at:
www(DOT)Coscend(DOT)com/Terms_and_Conditions.html


Date: Wed, 07 Oct 2015 09:24:39 +0200
From: Aleksandar Lazic <al-hapr...@none.at>

Hi Susheel Jalali.

#> please can you show us the out put of haproxy -vv

Am 06-10-2015 22:06, schrieb Susheel Jalali:
> Dear HAProxy Developers,
>
> After incorporating insights from Bryan Talbot and articles from
> Baptiste Assman on HAProxy Web site, we have been able to get the basic
> configuration of HAProxy going.  Now we are adding configuration to
> access specific products in our LAN.
>
> We would like to access Product1 via URL:
> https://coscend.com:14443/Product1/
>
> Output URL from the Product1 server should be:
> https://coscend.com:14443/Product1/signin?xyz
>
> What we are getting:   https://Internal_IP:14443/Product1/signin?xyz

#> Have the product a setting for 'proxy' setting like tomcat?
#> http://tomcat.apache.org/tomcat-8.0-doc/proxy-howto.html
#> or something like 'public' or 'external' URL Option or Setting?

> The server presents the right page, but with internal IP address of the
> server.  Hence, the product can only be accessed from internal LAN, not
> from WAN.  What are we missing?

[snipp]

#> As Igor mentioned in the his mail do you have any Warning Messages at Startup?

Cheers Aleks


On Wed, 7 Oct 2015 11:14:12 +1100 <ig...@encompasscorporation.com> commented inline (#>):

On Wed, Oct 7, 2015 at 7:06 AM, Susheel Jalali <susheel.jal...@coscend.com> wrote:

    Dear HAProxy Developers,

After incorporating insights from Bryan Talbot and articles from Baptiste Assman on HAProxy Web site, we have been able to get the basic configuration of HAProxy going. Now we are adding configuration to access specific products in our LAN. We would like to access Product1 via URL: https://coscend.com:14443/Product1/ Output URL from the Product1 server should be: https://coscend.com:14443/Product1/signin?xyz
    What we are getting:   https://Internal_IP:14443/Product1/signin?xyz
The server presents the right page, but with internal IP address of the server. Hence, the product can only be accessed from internal LAN, not from WAN. What are we missing?

    Below is the configuration deployed.

    global
    […]

    default
    […]


   frontend webapps-frontend
      bind          *:80 name http
      bind          *:443 name https ssl crt /path/to/server.pem

      log           global
      option        forwardfor
      option        httplog clf

      reqadd X-Forwarded-Proto:\ https if { ssl_fc }
      reqadd X-Forwarded-Proto:\ http if !{ ssl_fc }
#http-request add-header X-Forwarded-Proto:\ https if { ssl_fc } # Don't know how to use it instead of reqadd #http-request add-header X-Forwarded-Proto:\ http if !{ ssl_fc } # Don't know how to use it instead of reqadd

acl host_https req.hdr(Host) coscend.com:14443 # 14443 is due to port forwarding deployment
        acl path_subdomain_p1 path_beg -i /Product1

        use_backend subdomain_p1-backend if host_https path_subdomain_p1

    backend subdomain_p1-backend
        http-request set-header Host <internal_IPxx.yy.zz.ww:portpppp>
reqirep ^([^\ ]*)\ /Product1/?([^\ ]*)\ (.*)$ \1\ /Product1\2\ \3

        acl hdr_location res.hdr(Location) -m found
#http-response replace-header Host (.*) %%HP if hdr_location # This is not working rspirep ^(Location:)\ (https?://([^/]*))/(.*)$ \1\ http://\3/Product1/\4 if hdr_location

#> What happens if you move these two from the backend into the frontend section (I believe that's where they belong):
    acl hdr_location res.hdr(Location) -m found
rspirep ^(Location:)\ (https?://([^/]*))/(.*)$ \1\ http://\3/Product1/\4 if hdr_location

#> Also in the rspirep you are rewriting https to http but you say the response you are seeing is still with https:

https://Internal_IP:14443/Product1/signin?xyz

#> which most probably means that condition is not working for sure.

#> In case you are serving a single domain maybe simplifying this to begin with may help:

rspirep ^(Location:)\ https?://[^/]*/(.*)$ \1\ http://coscend.com/Product1/\2 if hdr_location

#> Also any messages during haproxy startup or in the haproxy log indicating possible issues? Something along the lines of "this and this statement will never match due to bla bla".


   server Product1.VM0 <internal_IPxx.yy.zz.ww:portpppp> cookie c check


    Thank you.
    --

    Sincerely,

    Susheel Jalali

www.Coscend.com






Reply via email to