Hi Alek/Haproxy Team, Any other way to effectively get the https proxy working ?
Currently we are manually adding servers which is putting a limit to get the dynamic nature. Thanks, Praveen. -----Original Message----- From: Aleksandar Lazic [mailto:[email protected]] Sent: Wednesday, May 09, 2018 6:38 AM To: UPPALAPATI, PRAVEEN <[email protected]> Cc: [email protected]; SIVANANDHAM, THANIGAIVEL <[email protected]> Subject: Re: 502 Bad Gateway Hi Praveen. Am 09-05-2018 00:25, schrieb UPPALAPATI, PRAVEEN: > Hi Aleks, > > Thanks for the info. > > Some of the default config we corrected in the prod. > > Let me clarify you on whatz working and whatz not working for us with > option http-proxy > > Config: > > listen http_proxy-1000 > bind *:1000 > mode http > option httplog > http-request set-uri > https://urldefense.proofpoint.com/v2/url?u=http-3A__-25-5Burl-5Fparam-28redirHost-29-5D-25-5Bcapture.req.uri-5D&d=DwICaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=p29xLcYDASs3x4Jull7dRenJ5n83VByMzJgUh-as5KE&s=A446uw28K_ENq4r6wM0I8IP1BmfA-kIvREkV-nAa80g&e= > > option http_proxy > > reqUrl : > http://<haproxyhost>:1000/test/health.txt?redirHost:<destinationServer>:<port> > > this gets converted to: > > http:// > <destinationServer>:<port>/test/health.txt?redirHost:<destinationServer>:<port> With blank or without blank? > This config in the log still says <noserv> but option http_proxy will > route to the updated url and I get 200 OK > > this is our intended behavior and works fine Cool. Then is the '<NOSRV>' a little bit misleading, at least for me. > What's not working for us is if we have to do this for https > > listen http_proxy-1000 > bind *:1000 ssl test.pem > mode http > option httplog > http-request set-uri > https://urldefense.proofpoint.com/v2/url?u=https-3A__-25-5Burl-5Fparam-28redirHost-29-5D-25-5Bcapture.req.uri-5D&d=DwICaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=p29xLcYDASs3x4Jull7dRenJ5n83VByMzJgUh-as5KE&s=BUzhtM4LAJ_Y8KSJiDEnYdiaFjSV3706amy-DEw693s&e= > > option http_proxy > > Hope this helps. Yes. In the doc is only the 'http://' schema mentioned, I'm not sure if https should work. https://urldefense.proofpoint.com/v2/url?u=https-3A__cbonte.github.io_haproxy-2Ddconv_1.8_configuration.html-234-2Doption-2520http-5Fproxy&d=DwICaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=p29xLcYDASs3x4Jull7dRenJ5n83VByMzJgUh-as5KE&s=LJalrOltyqxtwsl8VWJF1vWhID6jTOLuPQRgiJW37Qw&e= Sorry for the rush but I can't answer this question. > Thanks, > Praveen. Best regards Aleks > -----Original Message----- > From: Aleksandar Lazic [mailto:[email protected]] > Sent: Tuesday, May 08, 2018 4:55 PM > To: UPPALAPATI, PRAVEEN <[email protected]>; [email protected] > Subject: 502 Bad Gateway > > Hi. > > Looks like there is some confusion about your question. > Let me try to summarize what I think that you could mean. > > Am 08.05.2018 um 16:22 schrieb UPPALAPATI, PRAVEEN: >> Hi Aleks, >> >> Sorry I missed the group. >> >> My Full Config: >> >> #--------------------------------------------------------------------- >> # Example configuration for a possible web application. See the >> # full configuration options online. >> # >> # >> https://urldefense.proofpoint.com/v2/url?u=http-3A__haproxy.1wt.eu_download_1.3_doc_configuration.txt&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=C4BCJfT0RK1be2KQmPIHso7q5thkyKsIk1ouBDtjtaE&e= > > This should be > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.haproxy.org_download_1.8_doc_configuration.txt&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=q4U8esi96_sOL0XvcAS53n77UDq1oCz3zVhsj6sPHVQ&e= > or > https://urldefense.proofpoint.com/v2/url?u=https-3A__cbonte.github.io_haproxy-2Ddconv_1.8_configuration.html&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=mVj1QMb_Ass1oDZB-LXh4cJl_3_UTYoRPxNsxQncTNY&e= > >> #--------------------------------------------------------------------- >> >> #--------------------------------------------------------------------- >> # Global settings >> #--------------------------------------------------------------------- >> global >> log 127.0.0.1:514 local0 info alert >> log 127.0.0.1:514 local2 info alert >> maxconn 20000 >> user haproxy >> group haproxy >> daemon >> nbthread 4 >> ssl-server-verify none >> >> tune.ssl.default-dh-param 2048 >> >> >> >> #--------------------------------------------------------------------- >> # common defaults that all the 'listen' and 'backend' sections will >> # use if not designated in their block >> #--------------------------------------------------------------------- >> defaults >> >> log global >> mode http >> option dontlognull >> rate-limit sessions 6000 >> timeout connect 300000 # default 10 second time out if a backend >> is not found > > The comment is not true. > > The current timeout is 300s > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cbonte.github.io_haproxy-2Ddconv_1.8_configuration.html-232.4&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=0go0CAnboRAg0FIQf1rqTaUbPxDeuEfStrtb0ul5Z4k&e= > >> timeout client 6600000 >> timeout server 6600000 > This is 110m ~ 1.8 hours > >> option http-server-close >> maxconn 20000 >> retries 3 >> >> >> listen http_proxy-1000 >> bind *:1000 >> mode http >> option httplog >> http-request set-uri >> https://urldefense.proofpoint.com/v2/url?u=https-3A__-25-5Burl-5Fparam-28redirHost-29-5D-25-5Bcapture.req.uri-5D&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=Enzg1AulwX2G4bls9I-eiwsFm-vC1gYMGz0GPEpR89o&e= >> option http_proxy >> #--------------------------------------------------------------------- > > I miss here the server line. > >> I also tried : >> >> listen http_proxy-1000 >> bind *:1000 ssl crt certs.pem >> mode http >> option httplog >> http-request set-uri >> https://urldefense.proofpoint.com/v2/url?u=https-3A__-25-5Burl-5Fparam-28redirHost-29-5D-25-5Bcapture.req.uri-5D&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=Enzg1AulwX2G4bls9I-eiwsFm-vC1gYMGz0GPEpR89o&e= >> option http_proxy > Same here. > > I tried also both configs and have the same result '<NOSRV>' as you > have. > > Your line >>> http-9876~ bk_9876/<NOSRV> 0/0/1/-1/2 502 211 - - PH-- 1/1/0/0/0 0/0 >>> "GET > /test/test.txt?idnsredirHost=<destinationhost>:5300 HTTP/1.1" >>> > > My Test > ### > May 8 22:52:54 app001 haproxy[5141]: Proxy http_proxy-1000 started. > May 8 22:52:59 app001 haproxy[5141]: 127.0.0.1:52046 > [08/May/2018:22:52:59.177] http_proxy-1000 > http_proxy-1000/<NOSRV> -1/-1/-1/-1/0 400 187 - - PR-- 1/1/0/0/3 0/0 > "GET > /test/test.txt?Host=www.google.com:80 HTTP/1.1" > ### > > I think that the you need at least ONE server line. > > I assume you want to set the destination server dynamically based on > the query parameter > 'Host|idnsredirHost|redirHost', it's not clear which parameter you > want, as Shawn mentioned. > > Maybe you can take a look into the following links. > > https://urldefense.proofpoint.com/v2/url?u=https-3A__discourse.haproxy.org_t_dynamic-2Dserver-2Dselection_149_2&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=ZRhHfBHC6Uu00ktMxf4fzTwMqKN7YQPjlrES6mBRDA0&e= > https://urldefense.proofpoint.com/v2/url?u=https-3A__www.egnyte.com_blog_2017_04_dynamic-2Dbackends-2Din-2Dhaproxy-2Dwith-2Dlua_&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=YcEYgyPUHsGsau3PttfPLca26yyBLqDGv3onjyiBVtY&e= > > Is this what you need? > >>> HAProxy Version : >> >> //opt/app/haproxy/sbin/haproxy -vv >> HA-Proxy version 1.8.4-1deb90d 2018/02/08 > > [snipp] > >>> Was the acl below helpfull? >> Yes and also wanted to know if there is a way to print o/p of : >> hdr_beg(host) for debug purposes > > You can capture the host header the captured one will be displayed in > the logs. > I don't think that you only can get the result of `hdr_beg(host)` > easily, maybe I'm wrong. > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cbonte.github.io_haproxy-2Ddconv_1.8_configuration.html-234.2-2Dcapture-2520request-2520header&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=z6c842RukY_SP9qpAA7lFdR032fMh2Ko1cj5mxqeLPI&s=3h2iuYZHv2LKLc2sQwlp4kKRyksmDOdijU7C9fLnI7c&e= > > Config: > > ``` > capture request header Host len 15 > ``` > > ``` > ubuntu@app001:~$ curl -v > 'http://localhost:1000/test/test.txt?Host=www.google.com:80' > * Trying 127.0.0.1... > * Connected to localhost (127.0.0.1) port 1000 (#0) >> GET /test/test.txt?Host=www.google.com:80 HTTP/1.1 >> Host: localhost:1000 >> User-Agent: curl/7.47.0 >> Accept: */* >> > * HTTP 1.0, assume close after body > < HTTP/1.0 400 Bad request > < Cache-Control: no-cache > <Connection:close> < Content-Type: text/html > < > <html><body><h1>400 Bad request</h1> > Your browser sent an invalid request. > </body></html> > * Closing connection 0 > > ubuntu@app001:~$ fg > sudo tail -f /var/log/haproxy.log > May 8 23:37:54 app001 haproxy[8804]: Proxy http_proxy-1000 started. > May 8 23:37:58 app001 haproxy[8804]: 127.0.0.1:35988 > [08/May/2018:23:37:58.074] http_proxy-1000 > http_proxy-1000/<NOSRV> -1/-1/-1/-1/0 400 187 - - PR-- 1/1/0/0/3 0/0 > {localhost:1000} "GET > /test/test.txt?Host=www.google.com:80 HTTP/1.1" > ``` > > Best regards > > Aleks > >> Thanks, >> Praveen. >> >> -----Original Message----- >> From: Aleksandar Lazic [mailto:[email protected]] >> Sent: Tuesday, May 08, 2018 7:40 AM >> To: UPPALAPATI, PRAVEEN <[email protected]>; [email protected] >> Subject: Re: 502 Bad Gateway >> >> Hi. >> >> Please post only to the mailing list, thanks. >> Please keep the mailinglist in the mail loop => "Answer all". >> >> Am 08.05.2018 um 07:25 schrieb UPPALAPATI, PRAVEEN: >>> Hi Haproxy-Team, >>> >>> I have the following configuration: >>> >>> listen http_proxy-1000 >>> bind *:1000 >>> mode http >>> option httplog >>> http-request set-uri >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__-25-5Burl-5Fparam-28redirHost-29-5D-25-5Bcapture.req.uri-5D&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=t6xdq_k-rDqDEV6GmhRRj82gitY4t9bgda30YThyHHs&s=6xIYqpeCV09krEHS_i6n3zf7hYuKGEadSHB9ny25O7g&e= >>> option http_proxy >> >> This isn't the whole config, isn't it? >> >> The 'url_param' does not match the request below, afais. >> >> Please can you answer the following questions. >> >> Which HAProxy Version do you use? >> What's the whole HAProxy config? >> Was the acl below helpfull? >> >> Regards >> Aleks >> >>> If I issue a request to that port : >>> >>> https://<haproxyHost>:1000 >>> /test/test.txt?Host=<desthost>:8093 >>> >>> I get <BadReq> >>> >>> If I add ssl termination to the config: >>> >>> listen http_proxy-1000 >>> bind *:1000 ssl test.pem >>> mode http >>> option httplog >>> http-request set-uri >>> https://urldefense.proofpoint.com/v2/url?u=https-3A__-25-5Burl-5Fparam-28redirHost-29-5D-25-5Bcapture.req.uri-5D&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=V0kSKiLhQKpOQLIjj3-g9Q&m=t6xdq_k-rDqDEV6GmhRRj82gitY4t9bgda30YThyHHs&s=6xIYqpeCV09krEHS_i6n3zf7hYuKGEadSHB9ny25O7g&e= >>> option http_proxy >>> >>> >>> I get : >>> http-9876~ bk_9876/<NOSRV> 0/0/1/-1/2 502 211 - - PH-- 1/1/0/0/0 0/0 >>> "GET /test/test.txt?idnsredirHost=<destinationhost>:5300 HTTP/1.1" >>> >>> I have also set : >>> >>> ssl-server-verify none >>> >>> @global still no luck. >>> >>> Let me know if I am missing anything . >>> >>> Thanks, >>> Praveen. >>> >>> >>> -----Original Message----- >>> From: Aleksandar Lazic [mailto:[email protected]] >>> Sent: Tuesday, May 01, 2018 7:22 AM >>> To: UPPALAPATI, PRAVEEN <[email protected]>; Willy Tarreau <[email protected]> >>> Cc: Olivier Houchard <[email protected]>; [email protected] >>> Subject: Re: Logging Question >>> >>> Hi. >>> >>> Am 30.04.2018 um 19:05 schrieb UPPALAPATI, PRAVEEN: >>>> >>>> Hi Willy/Oliver, >>>> >>>> One small question: >>>> >>>> When I capture the header it's returning xxxx.com in the log but >>>> when I perform Get on xxxx.com:1000 it is not matching the following >>>> configuration. >>>> >>>> frontend http-1000 >>>> bind *:1000 >>>> option httplog >>>> capture request header Host len 20 >>>> acl is_east hdr(host) -i xxxx.com >>> >>> Maybe this helps? >>> >>> acl is_east hdr_beg(host) -i xxxx.com >>> >>>> use_backend east_bk_1000_read if is_east >>>> >>>> My question is how can I print o/p of hdr(host) & is_east to log? >>>> >>>> Appreciate your help. >>>> >>>> Thanks, >>>> Praveen. >>> >>> Regards >>> Aleks >>> >>
