Hi Aleksandar,

Yes I do Jira redirection configuration.

After adding the below line haproxy service not able to start.

http-response set-header location %[res.hdr(location),regsub(:8080/,/)] if {
res.hdr(location) -m found }

May 22 10:06:59 ies-esd-jiradc-loadb-stage haproxy-systemd-wrapper[28899]: 
[WARNING] 141/100659 (28900) : parsing [/etc/haproxy/haproxy.cfg:28] : 
'http-response' : sample fetch <res.hdr(location),regsub(:8080/,/)> failed with 
: unknown conv method 'regsub'
May 22 10:06:59 ies-esd-jiradc-loadb-stage haproxy-systemd-wrapper[28899]: 
[ALERT] 141/100659 (28900) : parsing [/etc/haproxy/haproxy.cfg:28] : error 
detected while parsing an 'http-response set-header' condi

Regards,
Mahmoud Mortada

-----Original Message-----
From: Aleksandar Lazic [mailto:al-hapr...@none.at] 
Sent: Wednesday, May 22, 2019 9:40 AM
To: Mortada, Mahmoud <mahmoud_mort...@mentor.com>
Cc: haproxy@formilux.org
Subject: Re: haproxy configuration issue

Hi Mahmoud.

Am 21.05.2019 um 14:57 schrieb Mortada, Mahmoud:
> Hi Aleksandar,
> 
> Thanks for your reply.
> 
> My main issue when I tried to access
> http://ies-esd-jiradc-loadb-stage.ies.mentorg.com:8080  it works but 
> redirect me to https://ies-esd-jiradc-loadb-stage.ies.mentorg.com:8080
> I don’t want to have 8080 on the https link.

Have you setup jira to run behind reverse proxy, because the redirect could 
also be come from JIRA?

https://confluence.atlassian.com/kb/reverse-proxy-and-application-link-troubleshooting-guide-719095279.html

> Can you please let me know what modification I need to have on my 
> haproxy.cfg file in order to fix this ?
> 
> Also I applied what you advise below and split http and https frontend and 
> backend.
> 
> [root@ies-esd-jiradc-loadb-stage haproxy]# cat haproxy.cfg
> 
> global
> 
>     pidfile     /var/run/haproxy.pid
>     maxconn     4000
>     user        haproxy
>     group       haproxy
>     daemon
>     tune.ssl.default-dh-param 2048
> 
> defaults
>     log                     global
>     mode http
>     option                  dontlognull
>     option                  redispatch
>     option                  http-ignore-probes
>     retries                 3
>     timeout http-request    10s
>     timeout queue           1m
>     timeout connect         10s
>     timeout client          1m
>     timeout server          1m
>     timeout http-keep-alive 10s
>     timeout check           10s
>     maxconn                 3000
>     errorfile               408 /dev/null       # Workaround for 
> Chrome 35-36 bug.  See 
> http://blog.haproxy.com/2014/05/26/haproxy-and-http-errors-408-in-chro
> me/
> 
> frontend jira_http_frontend
> 
>     bind *:80
>     bind *:8080 ssl crt /etc/cert.pem
>     redirect scheme https if !{ ssl_fc }

I would try this in haproxy.

http-response set-header location %[res.hdr(location),regsub(:8080/,/)] if {
res.hdr(location) -m found }

found here

https://stackoverflow.com/questions/53418024/haproxy-remove-port-number-from-url

>     default_backend jira_http_backend
> 
> backend jira_http_backend
> 
>     option httplog

You should get here a warning, move it to global.

>     option httpchk GET /status
>     option forwardfor
>     option http-server-close
>     balance roundrobin
> 
>     cookie JSESSIONID prefix nocache
> 
>     stick-table type string len 52 size 5M expire 30m
> 
>     http-request set-header X-Forwarded-Port %[dst_port]
> 
>     http-request add-header X-Forwarded-Proto https if { ssl_fc }
> 
>     server ies-esd-jiradc-node1-stage.ies.mentorg.com 
> 10.249.2.152:8080 check cookie 
> ies-esd-jiradc-node1-stage.ies.mentorg.com
> 
>     # The following "backup" servers are just here to show the startup 
> page when all nodes are starting up
> 
>     server ies-esd-jiradc-node1-stage.ies.mentorg.com 
> 10.249.2.152:8080 backup
>  
> 
> frontend jira_https_frontend
> 
>     bind *:443 ssl crt /etc/cert.pem
>     default_backend jira_https_backend
> 
> backend jira_https_backend
> 
>     option httplog

You should get here a warning, move it to global.

>     option httpchk GET /status
>     option forwardfor
>     option http-server-close
>     balance roundrobin
> 
>     cookie JSESSIONID prefix nocache
> 
>     stick-table type string len 52 size 5M expire 30m
> 
>     server ies-esd-jiradc-node1-stage.ies.mentorg.com 
> 10.249.2.152:8080 check cookie 
> ies-esd-jiradc-node1-stage.ies.mentorg.com
> 
>     # The following "backup" servers are just here to show the startup 
> page when all nodes are starting up
> 
>     server ies-esd-jiradc-node1-stage.ies.mentorg.com 
> 10.249.2.152:8080 backup
> 
> listen admin
> 
>     mode http
>     bind *:8090
>     stats enable
>     stats uri /
> 
> Regards,
> 
> Mahmoud Mortada

Hth

Aleks

> -----Original Message-----
> From: Aleksandar Lazic [mailto:al-hapr...@none.at]
> Sent: Tuesday, May 21, 2019 2:45 PM
> To: Mortada, Mahmoud <mahmoud_mort...@mentor.com>; 
> haproxy@formilux.org; wi...@haproxy.org
> Subject: Re: haproxy configuration issue
> 
>  
> 
> Hi.
> 
>  
> 
> Am 20.05.2019 um 17:04 schrieb Mortada, Mahmoud:
> 
>> Hi All,
> 
>>
> 
>> I am using haproxy version 1.5.18 with Atlassian Jira data center.
> 
>>
> 
>> [root@ies-esd-jiradc-loadb-stage haproxy]# haproxy -version
> 
>>
> 
>> HA-Proxy version 1.5.18 2016/05/10
> 
>>
> 
>> Copyright 2000-2016 Willy Tarreau <wi...@haproxy.org 
>> <mailto:wi...@haproxy.org>>
> 
>>
> 
>> Please find below haproxy.cfg configuration I have:
> 
>>
> 
>> I am trying to enable https for Jira.
> 
>  
> 
> Do you mean you want to use TLS on the tomcat server or you want that 
> HAProxy terminate TLS and talk to JIRA via plain http?
> 
>  
> 
>> I want to redirect all jira links using http with 8080 or without 
>> 8080
> 
>> port in the link to https
> 
>  
> 
> This
> 
>  
> 
>> Current status using below haproxy.cfg:
> 
>>
> 
>> https link working fine
> 
>>
> 
>> http link without 8080 port redirect automatically to https working
> 
>> fine
> 
>>
> 
>> I am only having issue then try to access http link with 8080 port it
> 
>> redirect me to https link but with 8080 port show up on the link and 
>> I
> 
>> don’t want to 8080 port show up after redirection to https.
> 
>>
> 
>> Can you please advise ?
> 
>  
> 
>  
> 
>  
> 
>> [root@ies-esd-jiradc-loadb-stage haproxy]# cat haproxy.cfg
> 
>>
> 
>> global
> 
>>
> 
>>     pidfile     /var/run/haproxy.pid
> 
>>
> 
>>     maxconn     4000
> 
>>
> 
>>     user        haproxy
> 
>>
> 
>>     group       haproxy
> 
>>
> 
>>     daemon
> 
>>
> 
>>     tune.ssl.default-dh-param 1024
> 
>  
> 
> I would increase this at least to 2048
> 
>  
> 
>> defaults
> 
>>
> 
>>     log                     global
> 
>>
> 
>>     mode http
> 
>>
> 
>>     option                  dontlognull
> 
>>
> 
>>     option                  redispatch
> 
>>
> 
>>     retries                 3
> 
>>
> 
>>     timeout http-request    10s
> 
>>
> 
>>     timeout queue           1m
> 
>>
> 
>>     timeout connect         10s
> 
>>
> 
>>     timeout client          1m
> 
>>
> 
>>     timeout server          1m
> 
>>
> 
>>     timeout http-keep-alive 10s
> 
>>
> 
>>     timeout check           10s
> 
>>
> 
>>     maxconn                 3000
> 
>>
> 
>>     errorfile               408 /dev/null       # Workaround for
> 
>> Chrome 35-36 bug.  See
> 
>> http://blog.haproxy.com/2014/05/26/haproxy-and-http-errors-408-in-chr
>> o
> 
>> me/
> 
>  
> 
> I would use here `option http-ignore-probes`.
> 
>  
> 
>> frontend jira_http_frontend
> 
>>
> 
>>     bind *:8080 ssl crt /etc/cert.pem
> 
>>
> 
>>     bind *:443 ssl crt /etc/cert.pem
> 
>>
> 
>>     acl secure dst_port eq 443
> 
>>
> 
>>     redirect scheme https if !{ ssl_fc }
> 
>> 
> 
>>     rspadd Strict-Transport-Security:\ max-age=31536000;\
> 
>> includeSubDomains;\ preload
> 
>>
> 
>>     rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
> 
>  
> 
> Maybe this helps.
> 
>  
> 
>       # 
> https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#7.3.6-ur
> l
> 
>       http-request set-path /%[url]
> 
>  
> 
>>     default_backend jira_http_backend
> 
>>  
> 
>>
> 
>> backend jira_http_backend
> 
>>
> 
>>     option httplog
> 
>>     option httpchk GET /status
> 
>>     option forwardfor
> 
>>     option http-server-close
> 
>>     balance roundrobin
> 
>>     cookie JSESSIONID prefix nocache
> 
>>     stick-table type string len 52 size 5M expire 30m
> 
>>     http-request set-header X-Forwarded-Port %[dst_port]
> 
>>     http-request add-header X-Forwarded-Proto https if { ssl_fc }
> 
>>     server ies-esd-jiradc-node1-stage.ies.mentorg.com
> 
>> 10.249.2.152:8080 check cookie
> 
>> ies-esd-jiradc-node1-stage.ies.mentorg.com
> 
>>     # The following "backup" servers are just here to show the 
>> startup
> 
>> page when all nodes are starting up
> 
>>     server ies-esd-jiradc-node1-stage.ies.mentorg.com
> 
>> 10.249.2.152:8080 backup
> 
>>
> 
>> listen admin
> 
>>     bind *:8090
> 
>>     stats enable
> 
>>     stats uri /
> 
>>
> 
>> Regards,
> 
>>
> 
>> Mahmoud Mortada
> 
>  
> 
> HTH
> 
> Aleks
> 

Reply via email to