you have stats bound to all interfaces, all addresses on port 8080. so when your spark redirect sends you to "8080" you get stats instead of what you expect.
There are 2 options here, really. #1) Fix your spark app config, to stop trying to redirect you to a specific port. #2) Have your stats listen on a specific frontend or backend, so it's not accessible everywhere. for instance, I do something like this: backend be_lbstats <... your normal backend stuff> stats enable stats uri /haproxy-stats (Make sure this doesn't overlap a legit path/URI on the backend) Now you can only access your stats page over whatever frontend/backend combo you've configured. In my case, the frontend is the https listener, and the backend is some "admin" type things blocked by some ACL's. So now I access the stats via something like: https://admin.example.com/haproxy-stats Hope this helps. On Wed, Apr 20, 2016 at 2:45 PM, Shawn Heisey <[email protected]> wrote: > I have this in my config: > > listen stats 0.0.0.0:8080 > description The stats listener. > stats uri / > > Elsewhere in my config I have something that will redirect http requests > to the hostname spark.REDACTED.com over to https, which is not anything > unusual. The IP address for this hostname is a VIP that is handled with > pacemaker. > > The problem is that if I try to go to http://spark.REDACTED.com:8080/ > ... this is redirected to https://spark.REDACTED.com:8080/ ... and I get > this in the log: > > Apr 20 12:26:54 localhost haproxy[6629]: 10.2.0.108:49435 > [20/Apr/2016:12:26:54.617] stats stats/<NOSRV> -1/-1/-1/-1/0 400 187 - - > PR-- 3/0/0/0/1 0/0 "<BADREQ>" > > The entire config for the listener is above -- no redirection. There is > nothing else in the config or on the machine that listens on port 8080. > > What have I done wrong? I have another haproxy pair that doesn't do > this, running the same version with similar HTTPS redirects. I don't > see any differences in the config that might cause this. > > I can access the stats URL using the actual machine hostname, but if the > machine fails and pacemaker moves everything to the other machine, that > won't work. I want to be able to give our staff a URL that will work > regardless of which machine in the load balancer pair is active. > > Thanks, > Shawn > > > ------------------ > > HA-Proxy version 1.5.12 2015/05/02 > Copyright 2000-2015 Willy Tarreau <[email protected]> > > Build options : > TARGET = linux2628 > CPU = native > CC = gcc > CFLAGS = -O2 -march=native -g -fno-strict-aliasing > OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_PCRE=1 > > Default settings : > maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 > > Encrypted password support via crypt(3): yes > Built with zlib version : 1.2.8 > Compression algorithms supported : identity, deflate, gzip > Built with OpenSSL version : OpenSSL 1.0.2a 19 Mar 2015 > Running on OpenSSL version : OpenSSL 1.0.2a 19 Mar 2015 > OpenSSL library supports TLS extensions : yes > OpenSSL library supports SNI : yes > OpenSSL library supports prefer-server-ciphers : yes > Built with PCRE version : 8.31 2012-07-06 > PCRE library supports JIT : no (USE_PCRE_JIT not set) > Built with transparent proxy support using: IP_TRANSPARENT > IPV6_TRANSPARENT IP_FREEBIND > > Available polling systems : > epoll : pref=300, test result OK > poll : pref=200, test result OK > select : pref=150, test result OK > Total: 3 (3 usable), will use epoll. > > Linux lb3 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 > x86_64 x86_64 x86_64 GNU/Linux > > -- Jeff Palmer https://PalmerIT.net
