RE: 502 Bad Gateway

[UPPALAPATI, PRAVEEN]

Hi Aleks,

Thanks for the info.

Some of the default config we corrected in the prod.

Let me clarify you on whatz working and whatz not working for us with option 
http-proxy

 Config:

listen http_proxy-1000
    bind *:1000 
    mode http
    option httplog
    http-request set-uri http://%[url_param(redirHost)]%[capture.req.uri]
    option http_proxy

reqUrl : 
http://<haproxyhost>:1000/test/health.txt?redirHost:<destinationServer>:<port>

this gets converted to:

 http:// 
<destinationServer>:<port>/test/health.txt?redirHost:<destinationServer>:<port> 

This config in the log still says  <noserv> but option http_proxy will route to 
the updated url and I get 200 OK

this is our intended behavior and works fine 



What's not working for us is if we have to do this for https

listen http_proxy-1000
    bind *:1000 ssl  test.pem
    mode http
    option httplog
    http-request set-uri https://%[url_param(redirHost)]%[capture.req.uri]
    option http_proxy

Hope this helps.

Thanks,
Praveen.


-----Original Message-----
From: Aleksandar Lazic [mailto:al-hapr...@none.at] 
Sent: Tuesday, May 08, 2018 4:55 PM
To: UPPALAPATI, PRAVEEN <pu5...@att.com>; haproxy@formilux.org
Subject: 502 Bad Gateway

Hi.

Looks like there is some confusion about your question.
Let me try to summarize what I think that you could mean.

Am 08.05.2018 um 16:22 schrieb UPPALAPATI, PRAVEEN:
> Hi Aleks,
> 
> Sorry I missed the group.
> 
> My Full Config:
> 
> #---------------------------------------------------------------------
> # Example configuration for a possible web application.  See the
> # full configuration options online.
> #
> #   
> https://urldefense.proofpoint.com/v2/url?u=http-3A__haproxy.1wt.eu_download_1.3_doc_configuration.txt&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=C4BCJfT0RK1be2KQmPIHso7q5thkyKsIk1ouBDtjtaE&e=
>  

This should be
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.haproxy.org_download_1.8_doc_configuration.txt&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=q4U8esi96_sOL0XvcAS53n77UDq1oCz3zVhsj6sPHVQ&e=
  or
https://urldefense.proofpoint.com/v2/url?u=https-3A__cbonte.github.io_haproxy-2Ddconv_1.8_configuration.html&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=mVj1QMb_Ass1oDZB-LXh4cJl_3_UTYoRPxNsxQncTNY&e=
 

> #---------------------------------------------------------------------
> 
> #---------------------------------------------------------------------
> # Global settings
> #---------------------------------------------------------------------
> global
>      log 127.0.0.1:514 local0 info alert
>      log 127.0.0.1:514 local2 info alert
>      maxconn     20000
>      user        haproxy
>      group       haproxy
>      daemon
>      nbthread 4
>      ssl-server-verify none
>     
>      tune.ssl.default-dh-param 2048
> 
>     
> 
> #---------------------------------------------------------------------
> # common defaults that all the 'listen' and 'backend' sections will 
> # use if not designated in their block
> #---------------------------------------------------------------------
> defaults
>    
>     log         global
>     mode        http
>     option dontlognull
>     rate-limit sessions 6000
>     timeout connect 300000 # default 10 second time out if a backend is not 
> found

The comment is not true.

The current timeout is 300s

https://urldefense.proofpoint.com/v2/url?u=https-3A__cbonte.github.io_haproxy-2Ddconv_1.8_configuration.html-232.4&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=0go0CAnboRAg0FIQf1rqTaUbPxDeuEfStrtb0ul5Z4k&e=
 

>     timeout client 6600000
>     timeout server 6600000
This is 110m ~ 1.8 hours

>     option http-server-close
>     maxconn     20000
>     retries     3
> 
> 
> listen http_proxy-1000
>     bind *:1000 
>     mode http
>     option httplog
>     http-request set-uri 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__-25-5Burl-5Fparam-28redirHost-29-5D-25-5Bcapture.req.uri-5D&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=Enzg1AulwX2G4bls9I-eiwsFm-vC1gYMGz0GPEpR89o&e=
>  
>     option http_proxy
> #---------------------------------------------------------------------

I miss here the server line.

> I also tried :
> 
> listen http_proxy-1000
>     bind *:1000 ssl crt certs.pem
>     mode http
>     option httplog
>     http-request set-uri 
> https://urldefense.proofpoint.com/v2/url?u=https-3A__-25-5Burl-5Fparam-28redirHost-29-5D-25-5Bcapture.req.uri-5D&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=Enzg1AulwX2G4bls9I-eiwsFm-vC1gYMGz0GPEpR89o&e=
>  
>     option http_proxy
Same here.

I tried also both configs and have the same result '<NOSRV>' as you have.

Your line
>> http-9876~ bk_9876/<NOSRV> 0/0/1/-1/2 502 211 - - PH-- 1/1/0/0/0 0/0 "GET
/test/test.txt?idnsredirHost=<destinationhost>:5300 HTTP/1.1"
>>

My Test
###
May  8 22:52:54 app001 haproxy[5141]: Proxy http_proxy-1000 started.
May  8 22:52:59 app001 haproxy[5141]: 127.0.0.1:52046 
[08/May/2018:22:52:59.177] http_proxy-1000
http_proxy-1000/<NOSRV> -1/-1/-1/-1/0 400 187 - - PR-- 1/1/0/0/3 0/0 "GET
/test/test.txt?Host=www.google.com:80 HTTP/1.1"
###

I think that the you need at least ONE server line.

I assume you want to set the destination server dynamically based on the query 
parameter
'Host|idnsredirHost|redirHost', it's not clear which parameter you want, as 
Shawn mentioned.

Maybe you can take a look into the following links.

https://urldefense.proofpoint.com/v2/url?u=https-3A__discourse.haproxy.org_t_dynamic-2Dserver-2Dselection_149_2&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=ZRhHfBHC6Uu00ktMxf4fzTwMqKN7YQPjlrES6mBRDA0&e=
 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.egnyte.com_blog_2017_04_dynamic-2Dbackends-2Din-2Dhaproxy-2Dwith-2Dlua_&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=YcEYgyPUHsGsau3PttfPLca26yyBLqDGv3onjyiBVtY&e=
 

Is this what you need?

>> HAProxy Version :
> 
> //opt/app/haproxy/sbin/haproxy -vv
> HA-Proxy version 1.8.4-1deb90d 2018/02/08

[snipp]

>> Was the acl below helpfull?
> Yes and also wanted to know if there is a way to print o/p of : hdr_beg(host) 
> for debug purposes

You can capture the host header the captured one will be displayed in the logs.
I don't think that you only can get the result of `hdr_beg(host)` easily, maybe 
I'm wrong.

https://urldefense.proofpoint.com/v2/url?u=https-3A__cbonte.github.io_haproxy-2Ddconv_1.8_configuration.html-234.2-2Dcapture-2520request-2520header&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=3h2iuYZHv2LKLc2sQwlp4kKRyksmDOdijU7C9fLnI7c&e=
 

Config:

```
capture request header Host len 15
```

```
ubuntu@app001:~$ curl -v 
'http://localhost:1000/test/test.txt?Host=www.google.com:80'
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 1000 (#0)
> GET /test/test.txt?Host=www.google.com:80 HTTP/1.1
> Host: localhost:1000
> User-Agent: curl/7.47.0
> Accept: */*
>
* HTTP 1.0, assume close after body
< HTTP/1.0 400 Bad request
< Cache-Control: no-cache
< Connection: close
< Content-Type: text/html
<
<html><body><h1>400 Bad request</h1>
Your browser sent an invalid request.
</body></html>
* Closing connection 0

ubuntu@app001:~$ fg
sudo tail -f /var/log/haproxy.log
May  8 23:37:54 app001 haproxy[8804]: Proxy http_proxy-1000 started.
May  8 23:37:58 app001 haproxy[8804]: 127.0.0.1:35988 
[08/May/2018:23:37:58.074] http_proxy-1000
http_proxy-1000/<NOSRV> -1/-1/-1/-1/0 400 187 - - PR-- 1/1/0/0/3 0/0 
{localhost:1000} "GET
/test/test.txt?Host=www.google.com:80 HTTP/1.1"
```

Best regards

Aleks

> Thanks,
> Praveen.
> 
> -----Original Message-----
> From: Aleksandar Lazic [mailto:al-hapr...@none.at] 
> Sent: Tuesday, May 08, 2018 7:40 AM
> To: UPPALAPATI, PRAVEEN <pu5...@att.com>; haproxy@formilux.org
> Subject: Re: 502 Bad Gateway
> 
> Hi.
> 
> Please post only to the mailing list, thanks.
> Please keep the mailinglist in the mail loop => "Answer all".
> 
> Am 08.05.2018 um 07:25 schrieb UPPALAPATI, PRAVEEN:
>> Hi Haproxy-Team,
>>
>> I have the following configuration:
>>
>> listen http_proxy-1000
>>     bind *:1000 
>>     mode http
>>     option httplog
>>     http-request set-uri 
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__-25-5Burl-5Fparam-28redirHost-29-5D-25-5Bcapture.req.uri-5D&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=t6xdq_k-rDqDEV6GmhRRj82gitY4t9bgda30YThyHHs&s=6xIYqpeCV09krEHS_i6n3zf7hYuKGEadSHB9ny25O7g&e=
>>  
>>     option http_proxy
> 
> This isn't the whole config, isn't it?
> 
> The 'url_param' does not match the request below, afais.
> 
> Please can you answer the following questions.
> 
> Which HAProxy Version do you use?
> What's the whole HAProxy config?
> Was the acl below helpfull?
> 
> Regards
> Aleks
> 
>> If I issue a request to that port :
>>
>> https://<haproxyHost>:1000
>> /test/test.txt?Host=<desthost>:8093
>>
>> I get <BadReq>
>>
>> If I add ssl termination to the config:
>>
>> listen http_proxy-1000
>>     bind *:1000 ssl  test.pem
>>     mode http
>>     option httplog
>>     http-request set-uri 
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__-25-5Burl-5Fparam-28redirHost-29-5D-25-5Bcapture.req.uri-5D&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=t6xdq_k-rDqDEV6GmhRRj82gitY4t9bgda30YThyHHs&s=6xIYqpeCV09krEHS_i6n3zf7hYuKGEadSHB9ny25O7g&e=
>>  
>>     option http_proxy
>>
>>
>> I get :
>> http-9876~ bk_9876/<NOSRV> 0/0/1/-1/2 502 211 - - PH-- 1/1/0/0/0 0/0 "GET 
>> /test/test.txt?idnsredirHost=<destinationhost>:5300 HTTP/1.1"
>>
>> I have also set :
>>
>> ssl-server-verify none
>>
>> @global still no luck.
>>
>> Let me know if I am missing anything .
>>
>> Thanks,
>> Praveen.
>>
>>
>> -----Original Message-----
>> From: Aleksandar Lazic [mailto:al-hapr...@none.at] 
>> Sent: Tuesday, May 01, 2018 7:22 AM
>> To: UPPALAPATI, PRAVEEN <pu5...@att.com>; Willy Tarreau <w...@1wt.eu>
>> Cc: Olivier Houchard <ohouch...@haproxy.com>; haproxy@formilux.org
>> Subject: Re: Logging Question
>>
>> Hi.
>>
>> Am 30.04.2018 um 19:05 schrieb UPPALAPATI, PRAVEEN:
>>>
>>> Hi Willy/Oliver,
>>>
>>> One small question:
>>>
>>> When I capture the header it's returning xxxx.com in the log but when I 
>>> perform Get on xxxx.com:1000 it is not matching the following configuration.
>>>
>>> frontend http-1000
>>>     bind *:1000 
>>>     option httplog
>>>     capture request header Host len 20
>>>     acl is_east hdr(host) -i xxxx.com 
>>
>> Maybe this helps?
>>
>> acl is_east hdr_beg(host) -i xxxx.com
>>
>>>     use_backend east_bk_1000_read if is_east
>>>
>>> My question is how can I print o/p of hdr(host) & is_east  to log?
>>>
>>> Appreciate your help.
>>>
>>> Thanks,
>>> Praveen.
>>
>> Regards
>> Aleks
>>
>