Re: 502 Bad Gateway

[Aleksandar Lazic]

Hi Praveen.

Am 09-05-2018 00:25, schrieb UPPALAPATI, PRAVEEN:
Hi Aleks,
Thanks for the info.

Some of the default config we corrected in the prod.

Let me clarify you on whatz working and whatz not working for us with
option http-proxy

 Config:

listen http_proxy-1000
    bind *:1000
    mode http
    option httplog
    http-request set-uri 
http://%[url_param(redirHost)]%[capture.req.uri]
    option http_proxy

reqUrl :
http://<haproxyhost>:1000/test/health.txt?redirHost:<destinationServer>:<port>

this gets converted to:

 http:// 
<destinationServer>:<port>/test/health.txt?redirHost:<destinationServer>:<port>

With blank or without blank?

This config in the log still says  <noserv> but option http_proxy will
route to the updated url and I get 200 OK

this is our intended behavior and works fine

Cool. Then is the '<NOSRV>' a little bit misleading, at least for me.

What's not working for us is if we have to do this for https

listen http_proxy-1000
    bind *:1000 ssl  test.pem
    mode http
    option httplog
    http-request set-uri 
https://%[url_param(redirHost)]%[capture.req.uri]
    option http_proxy

Hope this helps.

Yes.

In the doc is only the 'http://' schema mentioned, I'm not sure if https 
should work.
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-option%20http_proxy

Sorry for the rush but I can't answer this question.

Thanks,
Praveen.

Best regards
Aleks

-----Original Message-----
From: Aleksandar Lazic [mailto:al-hapr...@none.at]
Sent: Tuesday, May 08, 2018 4:55 PM
To: UPPALAPATI, PRAVEEN <pu5...@att.com>; haproxy@formilux.org
Subject: 502 Bad Gateway

Hi.

Looks like there is some confusion about your question.
Let me try to summarize what I think that you could mean.

Am 08.05.2018 um 16:22 schrieb UPPALAPATI, PRAVEEN:
Hi Aleks,

Sorry I missed the group.

My Full Config:

#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   
https://urldefense.proofpoint.com/v2/url?u=http-3A__haproxy.1wt.eu_download_1.3_doc_configuration.txt&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=C4BCJfT0RK1be2KQmPIHso7q5thkyKsIk1ouBDtjtaE&e=

This should be
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.haproxy.org_download_1.8_doc_configuration.txt&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=q4U8esi96_sOL0XvcAS53n77UDq1oCz3zVhsj6sPHVQ&e=
 or
https://urldefense.proofpoint.com/v2/url?u=https-3A__cbonte.github.io_haproxy-2Ddconv_1.8_configuration.html&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=mVj1QMb_Ass1oDZB-LXh4cJl_3_UTYoRPxNsxQncTNY&e=

#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
     log 127.0.0.1:514 local0 info alert
     log 127.0.0.1:514 local2 info alert
     maxconn     20000
     user        haproxy
     group       haproxy
     daemon
     nbthread 4
     ssl-server-verify none

     tune.ssl.default-dh-param 2048



#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults

    log         global
    mode        http
    option dontlognull
    rate-limit sessions 6000
    timeout connect 300000 # default 10 second time out if a backend 
is not found

The comment is not true.

The current timeout is 300s

https://urldefense.proofpoint.com/v2/url?u=https-3A__cbonte.github.io_haproxy-2Ddconv_1.8_configuration.html-232.4&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=0go0CAnboRAg0FIQf1rqTaUbPxDeuEfStrtb0ul5Z4k&e=

    timeout client 6600000
    timeout server 6600000
This is 110m ~ 1.8 hours

    option http-server-close
    maxconn     20000
    retries     3


listen http_proxy-1000
    bind *:1000
    mode http
    option httplog
    http-request set-uri 
https://urldefense.proofpoint.com/v2/url?u=https-3A__-25-5Burl-5Fparam-28redirHost-29-5D-25-5Bcapture.req.uri-5D&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=Enzg1AulwX2G4bls9I-eiwsFm-vC1gYMGz0GPEpR89o&e=
    option http_proxy
#---------------------------------------------------------------------

I miss here the server line.

I also tried :

listen http_proxy-1000
    bind *:1000 ssl crt certs.pem
    mode http
    option httplog
    http-request set-uri 
https://urldefense.proofpoint.com/v2/url?u=https-3A__-25-5Burl-5Fparam-28redirHost-29-5D-25-5Bcapture.req.uri-5D&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=Enzg1AulwX2G4bls9I-eiwsFm-vC1gYMGz0GPEpR89o&e=
    option http_proxy
Same here.

I tried also both configs and have the same result '<NOSRV>' as you 
have.

Your line
http-9876~ bk_9876/<NOSRV> 0/0/1/-1/2 502 211 - - PH-- 1/1/0/0/0 0/0 
"GET
/test/test.txt?idnsredirHost=<destinationhost>:5300 HTTP/1.1"


My Test
###
May  8 22:52:54 app001 haproxy[5141]: Proxy http_proxy-1000 started.
May  8 22:52:59 app001 haproxy[5141]: 127.0.0.1:52046
[08/May/2018:22:52:59.177] http_proxy-1000
http_proxy-1000/<NOSRV> -1/-1/-1/-1/0 400 187 - - PR-- 1/1/0/0/3 0/0 
"GET
/test/test.txt?Host=www.google.com:80 HTTP/1.1"
###

I think that the you need at least ONE server line.

I assume you want to set the destination server dynamically based on
the query parameter
'Host|idnsredirHost|redirHost', it's not clear which parameter you
want, as Shawn mentioned.

Maybe you can take a look into the following links.

https://urldefense.proofpoint.com/v2/url?u=https-3A__discourse.haproxy.org_t_dynamic-2Dserver-2Dselection_149_2&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=ZRhHfBHC6Uu00ktMxf4fzTwMqKN7YQPjlrES6mBRDA0&e=
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.egnyte.com_blog_2017_04_dynamic-2Dbackends-2Din-2Dhaproxy-2Dwith-2Dlua_&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=YcEYgyPUHsGsau3PttfPLca26yyBLqDGv3onjyiBVtY&e=

Is this what you need?

HAProxy Version :

//opt/app/haproxy/sbin/haproxy -vv
HA-Proxy version 1.8.4-1deb90d 2018/02/08

[snipp]

Was the acl below helpfull?
Yes and also wanted to know if there is a way to print o/p of : 
hdr_beg(host) for debug purposes

You can capture the host header the captured one will be displayed in 
the logs.
I don't think that you only can get the result of `hdr_beg(host)`
easily, maybe I'm wrong.

https://urldefense.proofpoint.com/v2/url?u=https-3A__cbonte.github.io_haproxy-2Ddconv_1.8_configuration.html-234.2-2Dcapture-2520request-2520header&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=3h2iuYZHv2LKLc2sQwlp4kKRyksmDOdijU7C9fLnI7c&e=

Config:

```
capture request header Host len 15
```

```
ubuntu@app001:~$ curl -v
'http://localhost:1000/test/test.txt?Host=www.google.com:80'
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 1000 (#0)
GET /test/test.txt?Host=www.google.com:80 HTTP/1.1
Host: localhost:1000
User-Agent: curl/7.47.0
Accept: */*

* HTTP 1.0, assume close after body
< HTTP/1.0 400 Bad request
< Cache-Control: no-cache
< Connection: close
< Content-Type: text/html
<
<html><body><h1>400 Bad request</h1>
Your browser sent an invalid request.
</body></html>
* Closing connection 0

ubuntu@app001:~$ fg
sudo tail -f /var/log/haproxy.log
May  8 23:37:54 app001 haproxy[8804]: Proxy http_proxy-1000 started.
May  8 23:37:58 app001 haproxy[8804]: 127.0.0.1:35988
[08/May/2018:23:37:58.074] http_proxy-1000
http_proxy-1000/<NOSRV> -1/-1/-1/-1/0 400 187 - - PR-- 1/1/0/0/3 0/0
{localhost:1000} "GET
/test/test.txt?Host=www.google.com:80 HTTP/1.1"
```

Best regards

Aleks

Thanks,
Praveen.

-----Original Message-----
From: Aleksandar Lazic [mailto:al-hapr...@none.at]
Sent: Tuesday, May 08, 2018 7:40 AM
To: UPPALAPATI, PRAVEEN <pu5...@att.com>; haproxy@formilux.org
Subject: Re: 502 Bad Gateway

Hi.

Please post only to the mailing list, thanks.
Please keep the mailinglist in the mail loop => "Answer all".

Am 08.05.2018 um 07:25 schrieb UPPALAPATI, PRAVEEN:
Hi Haproxy-Team,

I have the following configuration:

listen http_proxy-1000
    bind *:1000
    mode http
    option httplog
    http-request set-uri 
https://urldefense.proofpoint.com/v2/url?u=https-3A__-25-5Burl-5Fparam-28redirHost-29-5D-25-5Bcapture.req.uri-5D&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=t6xdq_k-rDqDEV6GmhRRj82gitY4t9bgda30YThyHHs&s=6xIYqpeCV09krEHS_i6n3zf7hYuKGEadSHB9ny25O7g&e=
    option http_proxy

This isn't the whole config, isn't it?

The 'url_param' does not match the request below, afais.

Please can you answer the following questions.

Which HAProxy Version do you use?
What's the whole HAProxy config?
Was the acl below helpfull?

Regards
Aleks

If I issue a request to that port :

https://<haproxyHost>:1000
/test/test.txt?Host=<desthost>:8093

I get <BadReq>

If I add ssl termination to the config:

listen http_proxy-1000
    bind *:1000 ssl  test.pem
    mode http
    option httplog
    http-request set-uri 
https://urldefense.proofpoint.com/v2/url?u=https-3A__-25-5Burl-5Fparam-28redirHost-29-5D-25-5Bcapture.req.uri-5D&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=t6xdq_k-rDqDEV6GmhRRj82gitY4t9bgda30YThyHHs&s=6xIYqpeCV09krEHS_i6n3zf7hYuKGEadSHB9ny25O7g&e=
    option http_proxy


I get :
http-9876~ bk_9876/<NOSRV> 0/0/1/-1/2 502 211 - - PH-- 1/1/0/0/0 0/0 
"GET /test/test.txt?idnsredirHost=<destinationhost>:5300 HTTP/1.1"

I have also set :

ssl-server-verify none

@global still no luck.

Let me know if I am missing anything .

Thanks,
Praveen.


-----Original Message-----
From: Aleksandar Lazic [mailto:al-hapr...@none.at]
Sent: Tuesday, May 01, 2018 7:22 AM
To: UPPALAPATI, PRAVEEN <pu5...@att.com>; Willy Tarreau <w...@1wt.eu>
Cc: Olivier Houchard <ohouch...@haproxy.com>; haproxy@formilux.org
Subject: Re: Logging Question

Hi.

Am 30.04.2018 um 19:05 schrieb UPPALAPATI, PRAVEEN:

Hi Willy/Oliver,

One small question:

When I capture the header it's returning xxxx.com in the log but 
when I perform Get on xxxx.com:1000 it is not matching the following 
configuration.

frontend http-1000
    bind *:1000
    option httplog
    capture request header Host len 20
    acl is_east hdr(host) -i xxxx.com

Maybe this helps?

acl is_east hdr_beg(host) -i xxxx.com

    use_backend east_bk_1000_read if is_east

My question is how can I print o/p of hdr(host) & is_east  to log?

Appreciate your help.

Thanks,
Praveen.

Regards
Aleks