so I almost got this to work, based on the situation I am in. To elaborate just a bit, my setup involves a shibboleth SP that I need to authenticate my application. Since I can't set up the HA proxy node with shibboleth SP - I had to wrap my application in the backend with apache so I can pass REMOTE_USER to the application. the application I have is - jupyterhub and it start with its own proxy. Long story short, here is my current setup:
frontend bind :80 bind :443 ssl crt /etc/haproxy/crsplab2_1.pem stats uri /haproxy?stats default_backend web1_cluster option httplog log global #option dontlognull log /dev/log local0 debug mode http option forwardfor # forward IP http-request set-header X-Forwarded-Port %[dst_port] http-request add-header X-Forwarded-Proto https if { ssl_fc } redirect scheme https if !{ ssl_fc } acl host_web3 path_beg /jhub use_backend web3_cluster if host_web3 backend server web1.oit.uci.edu 128.110.80.5:80 check this works for the most part. But I am confused with a problem. when I get to my application, my backend IP address shows up in the browser URL. for example, I see this in my browser: http://128.110.80.5/jhub/user/itoufiqu/tree? whereas, I was expecting that it would show the original URL, such as: http://crsplab2.domain.com/jhub/user/itoufiqu/tree? ( where crsplab2.domain.com is the URL to get HAproxy ) While I am no expert in HA proxy world, I think this might due to the fact that my backend does not have SSL and HAproxy frontend does have SSL. At this point, I would avoid that IP address showing up in the browser. what is the best way to accomplish this? thanks for your continues help! On Tue, Oct 23, 2018 at 8:35 AM Aleksandar Lazic <al-hapr...@none.at> wrote: > Hi. > > Am 23.10.2018 um 09:04 schrieb Imam Toufique: > > I am looking for some help on how to write the following apache > proxypass rules > > in HAproxy. Not to mention I am at a bit of loss with my first try :-) > . Here > > are my current proxypass rules: > > > > ProxyPass http://10.1.100.156:8000/jhub > > ProxyPassReverse http://10.1.100.156:8000/jhub > > Well ProxyPass and ProxyPassReverse do a lot of thinks not just rewrites, > as > mentioned in the doc > > https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass > https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypassreverse > > > > <LocationMatch > "/jhub/(user/[^/]*)/(api/kernels/[^/]+/channels/websocket)(.*)"> > > ProxyPassMatch ws://10.1.100.156:8000/jhub/$1/$2$3 > > ProxyPassReverse ws://10.1.100.156:8000/jhub/$1/$2$3 > > </LocationMatch> > > > > As I am not well versed in the massive HAproxy configuration guide, if > any of > > you can give me a hand with this, I would very much appreciate it. > > I'm also not "that" expert but I would try the following, untested. > > ### > defaults > mode http > log global > > #... maybe some other settings > timeout tunnel 10h > > frontend https_001 > > #... maybe some other settings > > acl websocket path_beg /jhub > > #... maybe some other acls > > use_backend websocket_001 if websocket > > backend websocket_001 > > reqrep "^([^\ :]*) > /jhub/(user/[^/]*)/(api/kernels/[^/]+/channels/websocket)(.*)" > "/jhub/\1/\2\3" > > # You will need to replace the first column with the response from the > # backend response > # rspirep "^Location: > /jhub/(user/[^/]*)/(api/kernels/[^/]+/channels/websocket)(.*)" "Location: > /jhub/\1/\2\3" > # OR > # http-response replace-header Location > "/jhub/(user/[^/]*)/(api/kernels/[^/]+/channels/websocket)(.*)" > "/jhub/\1/\2\3" > > # add some checks > > server ws_01 10.1.100.156:8000 check > ### > > Here are some links which may help you also. > > https://www.haproxy.com/blog/websockets-load-balancing-with-haproxy/ > https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-reqirep > https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-rspirep > > I would run haproxy in Debug mode and see how the request pass haproxy and > adopt > the config. > > It would be nice when you show us the working conf ;-) > > It would be nice to have a > > http-request replace-uri <match-regex> <replace-fmt> > > to replace the reqrep. > > > thanks > > Hth > Aleks > > -- Regards, *Imam Toufique* *213-700-5485*