Dear Susheel Jalali.

Am 07-10-2015 23:24, schrieb Susheel Jalali:
Dear Igor and Aleks,

Thank you for your insights.  Very useful to us, as we are implementing
HAProxy for the first time.  Below we have described how we have
implemented your advise and the result. Output of "haproxy -vv" is
given at end.

We have also provided the configuration file and relevant logs.  We
would appreciate any insights to replace the internal IP address
occurring in server-response URL with the externally valid domain name
either by using the rewriting of Location and Host headers or the
complete URL, using %HP.

We would like to access Product1 via URL:
Output URL from the Product1 server should be:

what we are getting:   http://Internal_IP:14443/Product1/signin?xyz

Responses to your insights / questions

@ Aleks: Yes, Tomcat has a reverse proxy setting for our Product1. Can we
not have two reverse proxies to Product1?

Sorry I do not understand what you mean.

Have your read and understood the proxy-howto?

I assume your setup is like this.


Is this right?

Maybe you can omit apache-mod_proxy_ajp and talk http with tomcat.
Client->haproxy->tomcat-X HTTP Connector

In case that you want to deliver static content you should consider to use such a setup.

Client->haproxy->varnish->tomcat-X HTTP Connector
Client->haproxy->nginx+cache->tomcat-X HTTP Connector

Take care that you setup one of the *NIO* or *Apr* protocol handler


(1) As you rightly pointed out, we are getting http, not https

(2) As you advised, we moved these two lines from backend to frontend,
but did not find any change.

    acl hdr_location res.hdr(Location) -m found
    rspirep ^(Location:)\ (https?://([^/]*))/(.*)$    \1\
http://\3/Product1/\4 if hdr_location

Maybe you can offer (gist,download,...) some debug output from

haproxy -f ... ... -db -V'

(3) Configuration file

    log local2
    log-tag     haproxy
    chroot      /var/haproxy/lib
    pidfile     /var/run/
    user        haproxy
    group       haproxy
    nbproc      1
    maxconn     5000
    spread-checks 5
    stats socket  /var/haproxy/lib/stats

    #   SSL section
    maxsslconn     256
    tune.ssl.default-dh-param 4096
    ca-base /path/to/directory/of/server.pem

# Defaults
    mode        http
    log         global
    option      httplog
    option      forwardfor
    option      abortonclose
    option      http-server-close
    option      redispatch
    retries     3
    timeout queue           10s
    timeout client          50000ms
    timeout server          50000ms
    timeout connect         5000ms
    timeout http-keep-alive 10s
    timeout http-request    5s
    timeout check           10s
    maxconn                 50000

frontend webapps-frontend
    bind          *:80 name http
    bind          *:443 name https ssl crt /path/to/server.pem

How about to change to two frontends

frontend http-frontend
     bind          *:80 name http
     ... other frontend settings

frontend https-frontend
    bind          *:443 name https ssl crt /path/to/server.pem
    ... other frontend settings

Then you can setup the tomcat connector for https to


Please take a look at this howto.

I prefer to setup the appserver to work as expected, when it's possible, and not to do some 'magic' with the rewrites on any proxy ;-)



Output of "haproxy -vv":

HA-Proxy version 1.5.14 2015/07/02
Copyright 2000-2015 Willy Tarreau <>

Build options :
  TARGET  = linux2628
  CPU     = native
  CC      = gcc
CFLAGS = -m64 -march=x86-64 -O2 -march=native -g -fno-strict-aliasing

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : yes
Built with transparent proxy support using: CTTPROXY IP_TRANSPARENT

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.



BR Aleks

Reply via email to