El 31/03/17 a las 20:26, Lukas Tribus escribió: > Hello Antonio, > > > Am 31.03.2017 um 19:36 schrieb Antonio Trujillo Carmona: >> El 30/03/17 a las 10:51:58, Antonio Trujillo Carmona escribió: >> >>> I'm try to use haproxy for balancing Citrix. >>> >>> I prove with: >>> >>> acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es >>> acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es >>> >>> use_backend CitrixSF-SSL if citrixsf >>> use_backend SevidoresWeblogic-12c-Balanceador-SSL >>> default_backend CitrixSF-SSL >>> >>> The goal is Wpx witch can't use sni are redirected to CitrixSF-SSL. > > You did not tell us what Wpx is. We also don't know your complete > configuration. > > Please post the complete configuration and the output of haproxy -vv. > > > >>> >>> I try commenting acl req_ssl_sni (right now, I have no Wpx to probe) >>> but >>> I recive. Error-404 Not Found. > > With that statement I don't know which of the above lines you > commented. Can > you explain? > > Haproxy never generates a "404 Not found message", this comes from one > of your > backends. > > > >> >> The issue of get diferent result in be redirected from a use_backend or >> from default_backend occurs in all equipmen, Windows XP,7 or even in >> linux. >> I can't understand it > > I don't understand what you are saying. I suggest you explain in a few > sentences > what you expect from haproxy, and then, explain what the actual result > is. > > > > Lukas > It's well documented that Windows XP with Internet Explorer don't support sni, so I try to redirect call through "default_backend", but I got ERROR-404, it work fine with all other combination of OS/surfer. If I (only for test purpose) comment the four line with "ssiiprovincial" (witch mean all the traffic must be redirected through default_backend) it don't work with any OS/surfer.
# haproxy -vv HA-Proxy version 1.5.18 2016/05/10 Copyright 2000-2016 Willy Tarreau <[email protected]> Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18 OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.32 2012-11-30 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. This is my configuration file: ######################################################### # Fichero configuracion del HAPROXY ######################################################### global #Este log es especifico para sistemas basados en RED HAT log 127.0.0.1 local2 debug chroot /var/lib/haproxy user haproxy group haproxy daemon node BALANCEADOR-PRINCIPAL # para sincronizar las tablas de sesión peers pares # disable peer gr43stemis01 10.107.20.7:1024 peer gr43stemis02 10.107.20.8:1024 defaults log global mode http option dontlognull option httpchk retries 3 option redispatch maxconn 5000 timeout connect 5s timeout client 15min timeout server 15s frontend Estadisticas# bind *:80 option httplog mode http stats show-node stats enable # Opcion para redirigir las peticiones que entran por http a https # solo se puede poner en este frontend redirect scheme https if !{ ssl_fc } frontend Aplicaciones bind *:443 mode tcp log global tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } # Parametros para utilizar SNI (Server Name Indication) acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial01.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial01.hvn.sas.junta-andalucia.es use_backend CitrixSF-SSL if citrixsf use_backend SevidoresWeblogic-12c-Balanceador-SSL default_backend CitrixSF-SSL #### BACKEND DE LOS SERVIDORES DE WEBLOGIC PRE PRODUCCION SSL ##### #backend SevidoresWeblogic-12c-Balanceador-SSL backend SevrWlogSSL mode tcp balance source hash-type consistent # maximum SSL session ID length is 32 bytes. # stick-table type binary len 32 size 30k expire 30m # acl clienthello req_ssl_hello_type 1 # acl serverhello rep_ssl_hello_type 2 # use tcp content accepts to detects ssl client and server hello. # tcp-request inspect-delay 5s # tcp-request content accept if clienthello # no timeout on response inspect delay by default. # tcp-response content accept if serverhello # stick on payload_lv(43,1) if clienthello # Learn on response if server hello. # stick store-response payload_lv(43,1) if serverhello #Chequeo usando la aplicacion propia testwebwls option httpchk GET /testwebwls/check #Servidores manejados actuales en el Weblogic, en este caso concreto el chequeo se hace en un puerto distinto al de SSL server SSL-ServerManager1-nodo1 10.105.15.112:44301 check port 8001 server SSL-ServerManager2-nodo2 10.105.15.113:44302 check port 8002 server SSL-ServerManager3-nodo1 10.105.15.112:44303 check port 8003 server SSL-ServerManager4-nodo2 10.105.15.113:44304 check port 8004 #### BACKEND DE LOS SERVIDORES CITRIXSF PRODUCCION ##### ### URL DE PRUEBAS https://10.107.20.9/Citrix/CHUGranadaWeb/ ################ backend CitrixSF-SSL mode tcp # balance source hash-type consistent # maximum SSL session ID length is 32 bytes. stick-table type binary len 32 size 30k expire 30m peers pares acl clienthello req_ssl_hello_type 1 acl serverhello rep_ssl_hello_type 2 # use tcp content accepts to detects ssl client and server hello. tcp-request inspect-delay 5s tcp-request content accept if clienthello # no timeout on response inspect delay by default. tcp-response content accept if serverhello stick on payload_lv(43,1) if clienthello # Learn on response if server hello. stick store-response payload_lv(43,1) if serverhello option ssl-hello-chk # Lista de servidores actuales con Citrix SF server CitrixSF01 10.105.15.200:443 check server CitrixSF02 10.105.15.214:443 check server CitrixSF03 10.104.12.17:443 check -- *Antonio Trujillo Carmona* *Técnico de redes y sistemas.* *Subdirección de Tecnologías de la Información y Comunicaciones* Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía [email protected]_ Tel. +34 670947670 747670)
