Sorry there was a space missing in the if statement after adding the space service become up normally
Redirection happened as before with port :8080 in the link [cid:image001.png@01D51090.F99DC8A0] Regards, Mahmoud Mortada -----Original Message----- From: Mortada, Mahmoud Sent: Wednesday, May 22, 2019 11:11 AM To: 'Aleksandar Lazic' <al-hapr...@none.at> Cc: haproxy@formilux.org Subject: RE: haproxy configuration issue Hi Aleksandar, Yes I do Jira redirection configuration. After adding the below line haproxy service not able to start. http-response set-header location %[res.hdr(location),regsub(:8080/,/)] if { res.hdr(location) -m found } May 22 10:06:59 ies-esd-jiradc-loadb-stage haproxy-systemd-wrapper[28899]: [WARNING] 141/100659 (28900) : parsing [/etc/haproxy/haproxy.cfg:28] : 'http-response' : sample fetch <res.hdr(location),regsub(:8080/,/)> failed with : unknown conv method 'regsub' May 22 10:06:59 ies-esd-jiradc-loadb-stage haproxy-systemd-wrapper[28899]: [ALERT] 141/100659 (28900) : parsing [/etc/haproxy/haproxy.cfg:28] : error detected while parsing an 'http-response set-header' condi Regards, Mahmoud Mortada -----Original Message----- From: Aleksandar Lazic [mailto:al-hapr...@none.at] Sent: Wednesday, May 22, 2019 9:40 AM To: Mortada, Mahmoud <mahmoud_mort...@mentor.com<mailto:mahmoud_mort...@mentor.com>> Cc: haproxy@formilux.org<mailto:haproxy@formilux.org> Subject: Re: haproxy configuration issue Hi Mahmoud. Am 21.05.2019 um 14:57 schrieb Mortada, Mahmoud: > Hi Aleksandar, > > Thanks for your reply. > > My main issue when I tried to access > http://ies-esd-jiradc-loadb-stage.ies.mentorg.com:8080 it works but > redirect me to https://ies-esd-jiradc-loadb-stage.ies.mentorg.com:8080 > I don’t want to have 8080 on the https link. Have you setup jira to run behind reverse proxy, because the redirect could also be come from JIRA? https://confluence.atlassian.com/kb/reverse-proxy-and-application-link-troubleshooting-guide-719095279.html > Can you please let me know what modification I need to have on my > haproxy.cfg file in order to fix this ? > > Also I applied what you advise below and split http and https frontend and > backend. > > [root@ies-esd-jiradc-loadb-stage haproxy]# cat haproxy.cfg > > global > > pidfile /var/run/haproxy.pid > maxconn 4000 > user haproxy > group haproxy > daemon > tune.ssl.default-dh-param 2048 > > defaults > log global > mode http > option dontlognull > option redispatch > option http-ignore-probes > retries 3 > timeout http-request 10s > timeout queue 1m > timeout connect 10s > timeout client 1m > timeout server 1m > timeout http-keep-alive 10s > timeout check 10s > maxconn 3000 > errorfile 408 /dev/null # Workaround for > Chrome 35-36 bug. See > http://blog.haproxy.com/2014/05/26/haproxy-and-http-errors-408-in-chro > me/ > > frontend jira_http_frontend > > bind *:80 > bind *:8080 ssl crt /etc/cert.pem > redirect scheme https if !{ ssl_fc } I would try this in haproxy. http-response set-header location %[res.hdr(location),regsub(:8080/,/)] if { res.hdr(location) -m found } found here https://stackoverflow.com/questions/53418024/haproxy-remove-port-number-from-url > default_backend jira_http_backend > > backend jira_http_backend > > option httplog You should get here a warning, move it to global. > option httpchk GET /status > option forwardfor > option http-server-close > balance roundrobin > > cookie JSESSIONID prefix nocache > > stick-table type string len 52 size 5M expire 30m > > http-request set-header X-Forwarded-Port %[dst_port] > > http-request add-header X-Forwarded-Proto https if { ssl_fc } > > server ies-esd-jiradc-node1-stage.ies.mentorg.com > 10.249.2.152:8080 check cookie > ies-esd-jiradc-node1-stage.ies.mentorg.com > > # The following "backup" servers are just here to show the startup > page when all nodes are starting up > > server ies-esd-jiradc-node1-stage.ies.mentorg.com > 10.249.2.152:8080 backup > > > frontend jira_https_frontend > > bind *:443 ssl crt /etc/cert.pem > default_backend jira_https_backend > > backend jira_https_backend > > option httplog You should get here a warning, move it to global. > option httpchk GET /status > option forwardfor > option http-server-close > balance roundrobin > > cookie JSESSIONID prefix nocache > > stick-table type string len 52 size 5M expire 30m > > server ies-esd-jiradc-node1-stage.ies.mentorg.com > 10.249.2.152:8080 check cookie > ies-esd-jiradc-node1-stage.ies.mentorg.com > > # The following "backup" servers are just here to show the startup > page when all nodes are starting up > > server ies-esd-jiradc-node1-stage.ies.mentorg.com > 10.249.2.152:8080 backup > > listen admin > > mode http > bind *:8090 > stats enable > stats uri / > > Regards, > > Mahmoud Mortada Hth Aleks > -----Original Message----- > From: Aleksandar Lazic [mailto:al-hapr...@none.at] > Sent: Tuesday, May 21, 2019 2:45 PM > To: Mortada, Mahmoud > <mahmoud_mort...@mentor.com<mailto:mahmoud_mort...@mentor.com>>; > haproxy@formilux.org<mailto:haproxy@formilux.org>; > wi...@haproxy.org<mailto:wi...@haproxy.org> > Subject: Re: haproxy configuration issue > > > > Hi. > > > > Am 20.05.2019 um 17:04 schrieb Mortada, Mahmoud: > >> Hi All, > >> > >> I am using haproxy version 1.5.18 with Atlassian Jira data center. > >> > >> [root@ies-esd-jiradc-loadb-stage haproxy]# haproxy -version > >> > >> HA-Proxy version 1.5.18 2016/05/10 > >> > >> Copyright 2000-2016 Willy Tarreau <wi...@haproxy.org >> <mailto:wi...@haproxy.org>> > >> > >> Please find below haproxy.cfg configuration I have: > >> > >> I am trying to enable https for Jira. > > > > Do you mean you want to use TLS on the tomcat server or you want that > HAProxy terminate TLS and talk to JIRA via plain http? > > > >> I want to redirect all jira links using http with 8080 or without >> 8080 > >> port in the link to https > > > > This > > > >> Current status using below haproxy.cfg: > >> > >> https link working fine > >> > >> http link without 8080 port redirect automatically to https working > >> fine > >> > >> I am only having issue then try to access http link with 8080 port it > >> redirect me to https link but with 8080 port show up on the link and >> I > >> don’t want to 8080 port show up after redirection to https. > >> > >> Can you please advise ? > > > > > > > >> [root@ies-esd-jiradc-loadb-stage haproxy]# cat haproxy.cfg > >> > >> global > >> > >> pidfile /var/run/haproxy.pid > >> > >> maxconn 4000 > >> > >> user haproxy > >> > >> group haproxy > >> > >> daemon > >> > >> tune.ssl.default-dh-param 1024 > > > > I would increase this at least to 2048 > > > >> defaults > >> > >> log global > >> > >> mode http > >> > >> option dontlognull > >> > >> option redispatch > >> > >> retries 3 > >> > >> timeout http-request 10s > >> > >> timeout queue 1m > >> > >> timeout connect 10s > >> > >> timeout client 1m > >> > >> timeout server 1m > >> > >> timeout http-keep-alive 10s > >> > >> timeout check 10s > >> > >> maxconn 3000 > >> > >> errorfile 408 /dev/null # Workaround for > >> Chrome 35-36 bug. See > >> http://blog.haproxy.com/2014/05/26/haproxy-and-http-errors-408-in-chr >> o > >> me/ > > > > I would use here `option http-ignore-probes`. > > > >> frontend jira_http_frontend > >> > >> bind *:8080 ssl crt /etc/cert.pem > >> > >> bind *:443 ssl crt /etc/cert.pem > >> > >> acl secure dst_port eq 443 > >> > >> redirect scheme https if !{ ssl_fc } > >> > >> rspadd Strict-Transport-Security:\ max-age=31536000;\ > >> includeSubDomains;\ preload > >> > >> rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure > > > > Maybe this helps. > > > > # > https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#7.3.6-ur > l > > http-request set-path /%[url] > > > >> default_backend jira_http_backend > >> > >> > >> backend jira_http_backend > >> > >> option httplog > >> option httpchk GET /status > >> option forwardfor > >> option http-server-close > >> balance roundrobin > >> cookie JSESSIONID prefix nocache > >> stick-table type string len 52 size 5M expire 30m > >> http-request set-header X-Forwarded-Port %[dst_port] > >> http-request add-header X-Forwarded-Proto https if { ssl_fc } > >> server ies-esd-jiradc-node1-stage.ies.mentorg.com > >> 10.249.2.152:8080 check cookie > >> ies-esd-jiradc-node1-stage.ies.mentorg.com > >> # The following "backup" servers are just here to show the >> startup > >> page when all nodes are starting up > >> server ies-esd-jiradc-node1-stage.ies.mentorg.com > >> 10.249.2.152:8080 backup > >> > >> listen admin > >> bind *:8090 > >> stats enable > >> stats uri / > >> > >> Regards, > >> > >> Mahmoud Mortada > > > > HTH > > Aleks >