Dear Aleks,
Thank you for your continued help. As you advised, we did the
following. We would appreciate any guidance you could give to solve
this issue.
(1) We ran haproxy (1.5.14) in debug mode in two use cases for
Product1. The debug output for each case is posted below.
(2) Also, as requested, posted are the relevant parts of Tomcat web.xml
and config.xml.
(3) We are able to access another product (Product2) with similar
configuration, but the debug output does not have Location header.
Product1 Debug
Scenario 1: Right external URL shows on the address bar, but the page
gives error
When we use in backend: rspirep ^Location:\
(https?://)([^:]*)(:[0-9]+)(/.*) Location:\ \4 if hdr_location
Result:
Google Chrome: ERR_TOO_MANY_REDIRECTS. The webpage at
https://coscend.com:8443/Product1/ has resulted in too many redirects.
Clearing your cookies for this site or allowing third-party cookies may
fix the problem. If not, it is possibly a server configuration issue and
not a problem with your computer.
Firefox: Firefox has detected that the server is redirecting the
request for this address in a way that will never complete. This
problem can sometimes be caused by disabling or refusing to accept cookies.
Scenario 2: Right Page is served, but shows http://<internal URL:port>
on the address bar
When we use in backend: rspirep ^Location:\
(https?://)([^/]*)(:[0-9]+)(.*)$ Location:\ \1coscend.com\3\4 if
hdr_location
Result: It should be https://External_URL/Product1/signin?xyz
==========
Debug output
++++
Scenario 1: Right external URL shows on the address bar, but the page
gives error
++++
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use epoll.
00000000:webapps-frontend.accept(0006)=0009 from [192.168.100.153:57322]
00000000:webapps-frontend.clicls[0009:ffffffff]
00000000:webapps-frontend.closed[0009:ffffffff]
00000001:webapps-frontend.accept(0006)=0009 from [192.168.100.153:57323]
00000001:webapps-frontend.clireq[0009:ffffffff]: GET /Product1/ HTTP/1.1
00000001:webapps-frontend.clihdr[0009:ffffffff]: Host: coscend.com:8443
00000001:webapps-frontend.clihdr[0009:ffffffff]: Connection: keep-alive
00000001:webapps-frontend.clihdr[0009:ffffffff]: Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
00000001:webapps-frontend.clihdr[0009:ffffffff]:
Upgrade-Insecure-Requests: 1
00000001:webapps-frontend.clihdr[0009:ffffffff]: User-Agent: Mozilla/5.0
(Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/45.100.2444.201 Safari/537.36
00000001:webapps-frontend.clihdr[0009:ffffffff]: Accept-Encoding: gzip,
deflate, sdch
00000001:webapps-frontend.clihdr[0009:ffffffff]: Accept-Language:
en-US,en;q=0.8
00000001:webapps-frontend.clihdr[0009:ffffffff]: Cookie:
JSESSIONID=6CD9160AEB4B2FC16AC392BE6479F3D9;
express_sid=s%3A4wgQy_swupi3Nwxj8PS-Ly-ylGRU92iX.02vFzzzMQz51sLlz1A2A3Ecob28KL6mT79o0xS3Idmg
00000001:subdomain_p1.srvrep[0009:000a]: HTTP/1.1 302 Found
00000001:subdomain_p1.srvhdr[0009:000a]: Server: Apache-Coyote/1.1
00000001:subdomain_p1.srvhdr[0009:000a]: Location:
http://<Internal_IP:Application_Port>/Product1/
00000001:subdomain_p1.srvhdr[0009:000a]: Transfer-Encoding: chunked
00000001:subdomain_p1.srvhdr[0009:000a]: Date: Tue, 13 Oct 2015 19:10:19 GMT
00000001:subdomain_p1.srvhdr[0009:000a]: Connection: close
+++++++
Scenario 2:
+++++++
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use epoll.
00000002:webapps-frontend.accept(0006)=000b from [192.168.100.153:57304]
00000000:webapps-frontend.accept(0006)=0009 from [192.168.100.153:57302]
00000002:webapps-frontend.clicls[000b:ffffffff]
00000002:webapps-frontend.closed[000b:ffffffff]
00000001:webapps-frontend.accept(0006)=000a from [192.168.100.153:57303]
00000000:webapps-frontend.clicls[0009:ffffffff]
00000000:webapps-frontend.closed[0009:ffffffff]
00000001:webapps-frontend.clicls[000a:ffffffff]
00000001:webapps-frontend.closed[000a:ffffffff]
00000003:webapps-frontend.accept(0006)=0009 from [192.168.100.153:57305]
00000003:webapps-frontend.clireq[0009:ffffffff]: GET /Product1/ HTTP/1.1
00000003:webapps-frontend.clihdr[0009:ffffffff]: Host: coscend.com:8443
00000003:webapps-frontend.clihdr[0009:ffffffff]: Connection: keep-alive
00000003:webapps-frontend.clihdr[0009:ffffffff]: Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
00000003:webapps-frontend.clihdr[0009:ffffffff]:
Upgrade-Insecure-Requests: 1
00000003:webapps-frontend.clihdr[0009:ffffffff]: User-Agent: Mozilla/5.0
(Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/45.100.2444.201 Safari/537.36
00000003:webapps-frontend.clihdr[0009:ffffffff]: Accept-Encoding: gzip,
deflate, sdch
00000003:webapps-frontend.clihdr[0009:ffffffff]: Accept-Language:
en-US,en;q=0.8
00000003:webapps-frontend.clihdr[0009:ffffffff]: Cookie:
JSESSIONID=6CD9160AEB4B2FC16AC392BE6479F3D9;
express_sid=s%3A4wgQy_swupi3Nwxj8PS-Ly-ylGRU92iX.02vFzzzMQz51sLlz1A2A3Ecob28KL6mT79o0xS3Idmg
00000003:subdomain_p1.srvrep[0009:000a]: HTTP/1.1 302 Found
00000003:subdomain_p1.srvhdr[0009:000a]: Server: Apache-Coyote/1.1
00000003:subdomain_p1.srvhdr[0009:000a]: Location:
http://<Internal_IP:Application_Port>/Product1/
00000003:subdomain_p1.srvhdr[0009:000a]: Transfer-Encoding: chunked
00000003:subdomain_p1.srvhdr[0009:000a]: Date: Tue, 13 Oct 2015 19:07:05 GMT
00000003:subdomain_p1.srvhdr[0009:000a]: Connection: close
++++++
Tomcat’s web.xml
++++++++
In web.xml, the context parameter is:
<context-param>
<param-name>globalScope</param-name>
<param-value>default</param-value>
</context-param>
and the filter mapping for the application is:
<filter-mapping>
<filter-name>Product1Application</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
++++++
Tomcat’s config.xml
++++++
<rtmphostlocal></rtmphostlocal>
<httphostlocal></httphostlocal>
<rtmpport>1937</rtmpport>
<rtmpsslport>8443</rtmpsslport>
<useSSL>no</useSSL>
<red5httpport>5081</red5httpport>
<protocol>http</protocol>
<proxyType>none</proxyType>
<currentappname>Product1</currentappname>
<webAppRootKey>Product1</webAppRootKey>
<httpRootKey>/Product1/</httpRootKey>
Thank you.
Sincerely,
--
Susheel Jalali
Coscend Communications Solutions
Web site: www(DOT)Coscend(DOT)com
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at:
www(DOT)Coscend(DOT)com/Terms_and_Conditions.html
On 10/13/15 02:31, Aleksandar Lazic wrote:
Dear Susheel Jalali.
Am 12-10-2015 22:06, schrieb Susheel Jalali:
Dear HAProxy Developer community,
We are seeking your inputs in the following issue we are facing:
We would like to access Product1 via URL:
https://coscend.com:14443/Product1/ , wherein 14443 is port forwarded by
router to 443 inside the server.
Output URL from the Product1 server should be:
https://coscend.com:14443/Product1/signin?xyz
Current set up is giving:
http://coscend.com:<APPLICATION_PORT>/Product1/signin?xyz
(1) <APPLICATION_PORT> instead of 14443 (forwarded port).
(2) http, instead of https
@Aleks
Thank you for your insights. It helped make some progress, but are
short of conquering the final frontier. Your guidance will be
appreciated.
Setup you advised: Client -> haproxy -> Product1 app server (Tomcat),
which is talking HTTP in its standard deployment
(http://IP:port/appname) and has no custom rewriting or SSL or other
proxy (Apache or nginx).
Please can you also add the tomcat config and web xml.
As the content is dynamic (real-time video), we are not using Varnish.
Logs and config deployed for HAProxy 1.5.14 (stable)
We are not getting any errors in the logs, as the right Web page is
being displayed.
frontend webapps-frontend
bind *:80 name http
bind *:443 name https ssl crt /path/to/server.pem
log global
option forwardfor
option httplog clf
reqadd X-Forwarded-Proto:\ https if { ssl_fc }
reqadd X-Forwarded-Proto:\ http if !{ ssl_fc }
acl host_https req.hdr(Host) coscend.com:14443 # 14443 is due to
port forwarding deployment
acl path_subdomain_p1 path_beg -i /Product1
use_backend subdomain_p1-backend if host_https path_subdomain_p1
backend subdomain_p1-backend
http-request set-header Host
<internal_IPxx.yy.zz.ww:APPLICATION_PORT>
reqirep ^([^\ ]*)\ /Product1/*([^\ ]*)\ (.*)$ \1\ /Product1\2\
\3
shouldn't be here the <APPLICATION_PORT> in the replacment?
acl hdr_location res.hdr(Location) -m found
rspirep ^Location:\ (https?://)([^/]*)(:[0-9]+)(/.*)$ Location:\
\1coscend.com\3\4 if hdr_location
Maybe I misunderstood your request but shouldn't be in the replacement
the port 14443?
rspirep ^Location:\ (https?://)([^/]*)(:[0-9]+)(/.*)$ Location:\
\1coscend.com:14443\4 if hdr_location
But still I think you should use
https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#Remote_IP_Filter
https://tomcat.apache.org/tomcat-8.0-doc/proxy-howto.html
https://tomcat.apache.org/tomcat-8.0-doc/config/http.html
proxyName
proxyPort
redirectPort
server Product1.VM0 <internal_IPxx.yy.zz.ww:APPLICATION_PORT> cookie
c check
Output of haproxy -f … -db -V
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result FAILED
Total: 3 (2 usable), will use epoll.
Please can you post some output from the -db thanks.
BR Aleks
Thank you.
Sincerely,
--
Susheel Jalali
Coscend Communications Solutions
Web site: www(DOT)Coscend(DOT)com
------------------------------------------------------------------
CONFIDENTIALITY NOTICE: See 'Confidentiality Notice Regarding E-mail
Messages from Coscend Communications Solutions' posted at:
www(DOT)Coscend(DOT)com/Terms_and_Conditions.html
On 10/08/15 03:50, Aleksandar Lazic wrote:
Dear Susheel Jalali.
Am 07-10-2015 23:24, schrieb Susheel Jalali:
Dear Igor and Aleks,
Thank you for your insights. Very useful to us, as we are
implementing
HAProxy for the first time. Below we have described how we have
implemented your advise and the result. Output of "haproxy -vv" is
given at end.
We have also provided the configuration file and relevant logs. We
would appreciate any insights to replace the internal IP address
occurring in server-response URL with the externally valid domain
name
either by using the rewriting of Location and Host headers or the
complete URL, using %HP.
We would like to access Product1 via URL:
https://coscend.com:14443/Product1/
Output URL from the Product1 server should be:
https://coscend.com:14443/Product1/signin?xyz
what we are getting: http://Internal_IP:14443/Product1/signin?xyz
----------
Responses to your insights / questions
@ Aleks: Yes, Tomcat has a reverse proxy setting for our Product1.
Can we
not have two reverse proxies to Product1?
Sorry I do not understand what you mean.
Have your read and understood the proxy-howto?
https://tomcat.apache.org/tomcat-8.0-doc/proxy-howto.html
I assume your setup is like this.
Client->haproxy->apache-mod_proxy_ajp->tomcat-X
Is this right?
Maybe you can omit apache-mod_proxy_ajp and talk http with tomcat.
Client->haproxy->tomcat-X HTTP Connector
In case that you want to deliver static content you should consider to
use such a setup.
Client->haproxy->varnish->tomcat-X HTTP Connector
Client->haproxy->nginx+cache->tomcat-X HTTP Connector
Take care that you setup one of the *NIO* or *Apr* protocol handler
https://tomcat.apache.org/tomcat-8.0-doc/config/http.html
@Igor,
(1) As you rightly pointed out, we are getting http, not https
(2) As you advised, we moved these two lines from backend to
frontend,
but did not find any change.
acl hdr_location res.hdr(Location) -m found
rspirep ^(Location:)\ (https?://([^/]*))/(.*)$ \1\
http://\3/Product1/\4 if hdr_location
Maybe you can offer (gist,download,...) some debug output from
haproxy -f ... ... -db -V'
(3) Configuration file
global
log 127.0.0.1 local2
log-tag haproxy
chroot /var/haproxy/lib
pidfile /var/run/haproxy.pid
user haproxy
group haproxy
nbproc 1
maxconn 5000
spread-checks 5
daemon
#debug
stats socket /var/haproxy/lib/stats
######
# SSL section
######
maxsslconn 256
tune.ssl.default-dh-param 4096
ca-base /path/to/directory/of/server.pem
#---------------------------------------------------------------------
# Defaults
#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option forwardfor
option abortonclose
option http-server-close
option redispatch
retries 3
timeout queue 10s
timeout client 50000ms
timeout server 50000ms
timeout connect 5000ms
timeout http-keep-alive 10s
timeout http-request 5s
timeout check 10s
maxconn 50000
frontend webapps-frontend
bind *:80 name http
bind *:443 name https ssl crt /path/to/server.pem
How about to change to two frontends
###
frontend http-frontend
bind *:80 name http
... other frontend settings
frontend https-frontend
bind *:443 name https ssl crt /path/to/server.pem
... other frontend settings
###
Then you can setup the tomcat connector for https to
secure="true"
Please take a look at this howto.
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
I prefer to setup the appserver to work as expected, when it's
possible, and not to do some 'magic' with the rewrites on any proxy
;-)
[snipp]
===========================
Output of "haproxy -vv":
HA-Proxy version 1.5.14 2015/07/02
Copyright 2000-2015 Willy Tarreau <[email protected]>
Build options :
TARGET = linux2628
CPU = native
CC = gcc
CFLAGS = -m64 -march=x86-64 -O2 -march=native -g
-fno-strict-aliasing
OPTIONS = USE_CTTPROXY=1 USE_LIBCRYPT=1 USE_CRYPT_H=1
USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1
USE_PCRE_JIT=1 USE_TFO=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents
= 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : yes
Built with transparent proxy support using: CTTPROXY IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
Thanks.
[snipp]
BR Aleks
-----
No virus found in this message.
Checked by AVG - www.avg.com [1]
Version: 2015.0.6140 / Virus Database: 4435/10778 - Release Date:
10/08/15
Links:
------
[1] http://www.avg.com
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2015.0.6172 / Virus Database: 4447/10805 - Release Date:
10/12/15
