Dear Igor and Aleks,
Thank you for your insights. Very useful to us, as we are implementing
HAProxy for the first time. Below we have described how we have
implemented your advise and the result. Output of "haproxy -vv" is given
at end.
We have also provided the configuration file and relevant logs. We
would appreciate any insights to replace the internal IP address
occurring in server-response URL with the externally valid domain name
either by using the rewriting of Location and Host headers or the
complete URL, using %HP.
We would like to access Product1 via URL:
https://coscend.com:14443/Product1/
Output URL from the Product1 server should be:
https://coscend.com:14443/Product1/signin?xyz
what we are getting: http://Internal_IP:14443/Product1/signin?xyz
----------
Responses to your insights / questions
@ Aleks: Yes, Tomcat has a reverse proxy setting for our Product1. Can we
not have two reverse proxies to Product1?
@Igor,
(1) As you rightly pointed out, we are getting http, not https
(2) As you advised, we moved these two lines from backend to frontend,
but did not find any change.
acl hdr_location res.hdr(Location) -m found
rspirep ^(Location:)\ (https?://([^/]*))/(.*)$ \1\
http://\3/Product1/\4 if hdr_location
(3) Configuration file
global
log 127.0.0.1 local2
log-tag haproxy
chroot /var/haproxy/lib
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
nbproc 1
maxconn 5000
spread-checks 5
daemon
#debug
stats socket /var/haproxy/lib/stats
######
# SSL section
######
maxsslconn 256
tune.ssl.default-dh-param 4096
ca-base /path/to/directory/of/server.pem
#---------------------------------------------------------------------
# Defaults
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option forwardfor
option abortonclose
option http-server-close
option redispatch
retries 3
timeout queue 10s
timeout client 50000ms
timeout server 50000ms
timeout connect 5000ms
timeout http-keep-alive 10s
timeout http-request 5s
timeout check 10s
maxconn 50000
frontend webapps-frontend
bind *:80 name http
bind *:443 name https ssl crt /path/to/server.pem
log global
option forwardfor
option httplog clf
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
reqadd X-Forwarded-Proto:\ http if !{ ssl_fc }
#http-request add-header X-Forwarded-Proto:\ https if { ssl_fc } #
Don't know how to use it instead of reqadd
#http-request add-header X-Forwarded-Proto:\ http if !{ ssl_fc } #
Don't know how to use it instead of reqadd
acl host_https req.hdr(Host) coscend.com:14443 # 14443 is due to
port forwarding deployment
acl path_subdomain_p1 path_beg -i /Product1
use_backend subdomain_p1-backend if host_https path_subdomain_p1
backend subdomain_p1-backend
http-request set-header Host <internal_IPxx.yy.zz.ww:portpppp>
reqirep ^([^\ ]*)\ /Product1/?([^\ ]*)\ (.*)$ \1\ /Product1\2\ \3
acl hdr_location res.hdr(Location) -m found
#http-response replace-header Host (.*) %%HP if hdr_location #
This is
not working
rspirep ^(Location:)\ (https?://([^/]*))/(.*)$ \1\
http://\3/Product1/\4 if hdr_location
server Product1.VM0 <internal_IPxx.yy.zz.ww:portpppp> cookie c check
listen stats 10.10.10.51:8885
stats enable
stats auth [username]:[password]
stats hide-version
stats show-node
stats uri /stats
stats realm Haproxy\ Statistics
monitor-uri /monitor
stats refresh 10s
stats show-legends
Notice.log
Oct 7 15:42:34 localhost haproxy[12886]: Proxy webapps-frontend started.
Oct 7 15:42:34 localhost haproxy[12886]: Proxy webapps-frontend started.
Oct 7 15:42:34 localhost haproxy[12886]: Proxy webapps-backend started.
Oct 7 15:42:34 localhost haproxy[12886]: Proxy webapps-backend started..
Oct 7 15:42:34 localhost haproxy[12886]: Proxy subdomain_p1-backend
started.
Oct 7 15:42:34 localhost haproxy[12886]: Proxy Test-stats started.
Info.log
Oct 7 15:42:44 localhost haproxy[12887]: 192.168.100.153:58163
[07/Oct/2015:15:42:44.455] Test-stats Test-stats/<STATS> 12/0/0/0/12 200
29869 - - LR-- 1/1/0/0/0 0/0 "GET /stats HTTP/1.1"
Oct 7 15:42:44 localhost haproxy[12887]: 192.168.100.153:58163
[07/Oct/2015:15:42:44.467] Test-stats Test-stats/<NOSRV> 154/-1/-1/-1/154
503 213 - - SC-- 0/0/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"
Oct 7 15:42:54 localhost haproxy[12887]: 192.168.100.153:58164
[07/Oct/2015:15:42:54.571] Test-stats Test-stats/<STATS> 7/0/0/0/7 200 29930
- - LR-- 1/1/0/0/0 0/0 "GET /stats HTTP/1.1"
Oct 7 15:42:54 localhost haproxy[12887]: 192.168.100.153:58164
[07/Oct/2015:15:42:54.579] Test-stats Test-stats/<NOSRV> 175/-1/-1/-1/175
503 213 - - SC-- 0/0/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"
Oct 7 15:43:04 localhost haproxy[12887]: 192.168.100.153:58166
[07/Oct/2015:15:43:04.678] Test-stats Test-stats/<STATS> 5/0/0/0/6 200 29983
- - LR-- 1/1/0/0/0 0/0 "GET /stats HTTP/1.1"
Oct 7 15:43:04 localhost haproxy[12887]: 192.168.100.153:58166
[07/Oct/2015:15:43:04.684] Test-stats Test-stats/<NOSRV> 78/-1/-1/-1/78 503
213 - - SC-- 0/0/0/0/0 0/0 "GET /favicon.ico HTTP/1.1"
Oct 7 15:43:05 localhost haproxy[12887]: 192.168.100.153 - -
[07/Oct/2015:20:43:05 +0000] "<BADREQ>" 400 188 "" "" 58168 734
"webapps-frontend~" "webapps-frontend" "<NOSRV>" -1 -1 -1 -1 57 CR-- 1 1 0 0
0 0 0 "" ""
Oct 7 15:43:05 localhost haproxy[12887]: 192.168.100.153 - -
[07/Oct/2015:20:43:05 +0000] "<BADREQ>" 400 188 "" "" 58168 734
"webapps-frontend~" "webapps-frontend" "<NOSRV>" -1 -1 -1 -1 57 CR-- 1 1 0 0
0 0 0 "" ""
Oct 7 15:43:05 localhost haproxy[12887]: 192.168.100.153 - -
[07/Oct/2015:20:43:05 +0000] "<BADREQ>" 400 188 "" "" 58169 766
"webapps-frontend~" "webapps-frontend" "<NOSRV>" -1 -1 -1 -1 26 CR-- 0 0 0 0
0 0 0 "" ""
Oct 7 15:43:05 localhost haproxy[12887]: 192.168.100.153 - -
[07/Oct/2015:20:43:05 +0000] "<BADREQ>" 400 188 "" "" 58169 766
"webapps-frontend~" "webapps-frontend" "<NOSRV>" -1 -1 -1 -1 26 CR-- 0 0 0 0
0 0 0 "" ""
Oct 7 15:43:06 localhost haproxy[12887]: 192.168.100.153 - -
[07/Oct/2015:20:43:06 +0000] "<BADREQ>" 400 188 "" "" 58170 068
"webapps-frontend~" "webapps-frontend" "<NOSRV>" -1 -1 -1 -1 42 CR-- 0 0 0 0
0 0 0 "" ""
Oct 7 15:43:06 localhost haproxy[12887]: 192.168.100.153 - -
[07/Oct/2015:20:43:06 +0000] "<BADREQ>" 400 188 "" "" 58170 068
"webapps-frontend~" "webapps-frontend" "<NOSRV>" -1 -1 -1 -1 42 CR-- 0 0 0 0
0 0 0 "" ""
Oct 7 15:43:06 localhost haproxy[12887]: 192.168.100.153 - -
[07/Oct/2015:20:43:06 +0000] "GET /Product1 HTTP/1.1" 302 184 "" "" 58171
114 "webapps-frontend~" "subdomain_p1-backend" "Product1.VM0" 36 0 0 4 40
---- 1 1 0 1 0 0 0 "" ""
Oct 7 15:43:06 localhost haproxy[12887]: 192.168.100.153 - -
[07/Oct/2015:20:43:06 +0000] "GET /Product1 HTTP/1.1" 302 184 "" "" 58171
114 "webapps-frontend~" "subdomain_p1-backend" "Product1.VM0" 36 0 0 4 40
---- 1 1 0 1 0 0 0 "" ""
===========================
Output of "haproxy -vv":
HA-Proxy version 1.5.14 2015/07/02
Copyright 2000-2015 Willy Tarreau <wi...@haproxy.org>
Build options :
TARGET = linux2628
CPU = native
CC = gcc
CFLAGS = -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing
OPTIONS = USE_CTTPROXY=1 USE_LIBCRYPT=1 USE_CRYPT_H=1
USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1
USE_PCRE_JIT=1 USE_TFO=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : yes
Built with transparent proxy support using: CTTPROXY IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
--
Sincerely,
Susheel Jalali
Coscend Communications Solutions
Web site: www(DOT)Coscend(DOT)com
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at:
www(DOT)Coscend(DOT)com/Terms_and_Conditions.html
Date: Wed, 07 Oct 2015 09:24:39 +0200
From: Aleksandar Lazic <al-hapr...@none.at>
Hi Susheel Jalali.
#> please can you show us the out put of haproxy -vv
Am 06-10-2015 22:06, schrieb Susheel Jalali:
> Dear HAProxy Developers,
>
> After incorporating insights from Bryan Talbot and articles from
> Baptiste Assman on HAProxy Web site, we have been able to get the basic
> configuration of HAProxy going. Now we are adding configuration to
> access specific products in our LAN.
>
> We would like to access Product1 via URL:
> https://coscend.com:14443/Product1/
>
> Output URL from the Product1 server should be:
> https://coscend.com:14443/Product1/signin?xyz
>
> What we are getting: https://Internal_IP:14443/Product1/signin?xyz
#> Have the product a setting for 'proxy' setting like tomcat?
#> http://tomcat.apache.org/tomcat-8.0-doc/proxy-howto.html
#> or something like 'public' or 'external' URL Option or Setting?
> The server presents the right page, but with internal IP address of the
> server. Hence, the product can only be accessed from internal LAN, not
> from WAN. What are we missing?
[snipp]
#> As Igor mentioned in the his mail do you have any Warning Messages at
Startup?
Cheers Aleks
On Wed, 7 Oct 2015 11:14:12 +1100 <ig...@encompasscorporation.com>
commented inline (#>):
On Wed, Oct 7, 2015 at 7:06 AM, Susheel Jalali
<susheel.jal...@coscend.com> wrote:
Dear HAProxy Developers,
After incorporating insights from Bryan Talbot and articles from
Baptiste Assman on HAProxy Web site, we have been able to get the basic
configuration of HAProxy going. Now we are adding configuration to
access specific products in our LAN.
We would like to access Product1 via URL:
https://coscend.com:14443/Product1/
Output URL from the Product1 server should be:
https://coscend.com:14443/Product1/signin?xyz
What we are getting: https://Internal_IP:14443/Product1/signin?xyz
The server presents the right page, but with internal IP address of
the server. Hence, the product can only be accessed from internal LAN,
not from WAN. What are we missing?
Below is the configuration deployed.
global
[…]
default
[…]
frontend webapps-frontend
bind *:80 name http
bind *:443 name https ssl crt /path/to/server.pem
log global
option forwardfor
option httplog clf
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
reqadd X-Forwarded-Proto:\ http if !{ ssl_fc }
#http-request add-header X-Forwarded-Proto:\ https if { ssl_fc }
# Don't know how to use it instead of reqadd
#http-request add-header X-Forwarded-Proto:\ http if !{ ssl_fc
} # Don't know how to use it instead of reqadd
acl host_https req.hdr(Host) coscend.com:14443 # 14443 is
due to port forwarding deployment
acl path_subdomain_p1 path_beg -i /Product1
use_backend subdomain_p1-backend if host_https path_subdomain_p1
backend subdomain_p1-backend
http-request set-header Host <internal_IPxx.yy.zz.ww:portpppp>
reqirep ^([^\ ]*)\ /Product1/?([^\ ]*)\ (.*)$ \1\
/Product1\2\ \3
acl hdr_location res.hdr(Location) -m found
#http-response replace-header Host (.*) %%HP if hdr_location
# This is not working
rspirep ^(Location:)\ (https?://([^/]*))/(.*)$ \1\
http://\3/Product1/\4 if hdr_location
#> What happens if you move these two from the backend into the frontend
section (I believe that's where they belong):
acl hdr_location res.hdr(Location) -m found
rspirep ^(Location:)\ (https?://([^/]*))/(.*)$ \1\
http://\3/Product1/\4 if hdr_location
#> Also in the rspirep you are rewriting https to http but you say the
response you are seeing is still with https:
https://Internal_IP:14443/Product1/signin?xyz
#> which most probably means that condition is not working for sure.
#> In case you are serving a single domain maybe simplifying this to
begin with may help:
rspirep ^(Location:)\ https?://[^/]*/(.*)$ \1\
http://coscend.com/Product1/\2 if hdr_location
#> Also any messages during haproxy startup or in the haproxy log
indicating possible issues? Something along the lines of "this and this
statement will never match due to bla bla".
server Product1.VM0 <internal_IPxx.yy.zz.ww:portpppp> cookie c check
Thank you.
--
Sincerely,
Susheel Jalali
www.Coscend.com