Dear HAProxy Community,
Your guidance on the following issue we are facing would be appreciated.
CONTEXT
----------
We are running two versions of our application--APP-3.3.0 and APP-3.3.2--on
the same server and same environment. Both the APPs are running perfectly
if we directly access them, while bypassing HAProxy.
ISSUE
---------
While accessing these APPs through HAProxy,
1. APP-3.3.0: HAProxy is capturing JSESSIONID in logs.
2. APP-3.3.2: HAProxy is NOT capturing JSESSIONID in logs.
QUESTION
----------------
Could you please advise how HAProxy captures application session cookies?
Is the capture portion of our HAProxy config below incorrect?
Or, is there a problem with our APP-3.3.2?
Thank you.
=========LOGS and CONFIG PARAMETERS=============
HAProxy logs
-----------------
APP-3.3.0: HAProxy captures JSESSIONID in each log line.
Sep 21 13:36:07 localhost haproxy[10415]: 192.168.100.152:56085
[21/Sep/2017:13:36:07.914] webapps-frontend~ subdomain-backend/APP-3.3.0
0/0/0/3/10 200 86916 JSESSIONID=66BC3A6F228503A5D39F4B8E6F1FF951 - ----
6/6/0/0/0 0/0 {<ourdomain>.com||https://<ourdomain>.com/Co}
{|86575|max-age=||||||||||cache|||||} "GET
/APP-3.3.0/wicket/resource/org.apache.wicket.resource.JQueryResourceReferenc
e/jquery/jquery-3.2.1-ver-3B390F5614B3789CE71FFA5C856AA35E.js HTTP/1.1"
APP-3.3.2: JSESSIONID is missing in majority of the log lines.
Sep 21 13:39:23 localhost proxy-server[10517]: 192.168.100.152:56391
[21/Sep/2017:13:39:23.450] webapps-frontend~ subdomain-backend/APP-3.3.2
0/0/1/4/8 200 86916 - - ---- 6/6/0/0/0 0/0
{<ourdomain>.com||https://<ourdomain>.com/Co}
{|86575|max-age=||||||||||cache|||||} "GET
/APP-3.3.2/wicket/resource/org.apache.wicket.resource.JQueryResourceReferenc
e/jquery/jquery-3.2.1-ver-3B390F5614B3789CE71FFA5C856AA35E.js HTTP/1.1"
HAProxy 1.7.9 config (Relevant portion)
======================
.
frontend webapps-frontend
.
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
### Logging options
option httplog
log global
#option logasap
capture cookie JSESSIONID len 124
capture request header Host len 64
capture request header Content-Length len 10
capture request header Referer len 32
capture response header Server len 20
capture response header Content-Length len 10
capture response header Cache-Control len 8
capture response header Via len 20
capture response header Location len 20
capture response header X-Backend-Server-Name len 20
capture response header Content-Security-Policy len 128
capture response header Strict-Transport-Security len 64
capture response header X-Frame-Options len 32
capture response header X-XSS-Protection len 32
capture response header X-Content-Type-Options len 32
capture response header Referrer-Policy len 32
capture response header Pragma len 32
capture response header Transfer-Encoding len 32
capture response header Access-Control-Allow-Origin len 32
capture response header Access-Control-Allow-Headers len 32
capture response header Access-Control-Allow-Methods len 32
capture response header Access-Control-Allow-Credentials len 20
backend subdomain-backend
http-response set-header Strict-Transport-Security "max-age=31536000;
includeSubDomains; preload"
http-response set-header X-Frame-Options "SAMEORIGIN" # or "DENY"
http-response set-header X-XSS-Protection "1; mode=block"
http-response set-header X-Content-Type-Options "nosniff"
http-response set-header Referrer-Policy "no-referrer-when-downgrade"
http-response set-header Pragma "no-cache" #Deprecated, only for
backwards compatibility with HTTP/1.0 clients.
http-response set-header Cache-Control "nocache, no-store"
http-response set-header Access-Control-Allow-Origin "*"
#"%%{AccessControlAllowOrigin} env=AccessControlAllowOrigin"
http-response set-header Access-Control-Allow-Headers "Origin,
X-Requested-With, Content-Type, Accept, X-CSRF-Token, X-XSRF-TOKEN"
http-response set-header Access-Control-Allow-Methods "GET, POST, PUT,
DELETE, OPTIONS"
http-response set-header Access-Control-Allow-Credentials "true"
http-response set-header X-Backend-Server-Name %s
---
This email has been checked for viruses by AVG.
http://www.avg.com
