Sorry there was a space missing in the if statement after adding the space
service become up normally
Redirection happened as before with port :8080 in the link
[cid:image001.png@01D51090.F99DC8A0]
Regards,
Mahmoud Mortada
-----Original Message-----
From: Mortada, Mahmoud
Sent: Wednesday, May 22, 2019 11:11 AM
To: 'Aleksandar Lazic' <al-hapr...@none.at>
Cc: haproxy@formilux.org
Subject: RE: haproxy configuration issue
Hi Aleksandar,
Yes I do Jira redirection configuration.
After adding the below line haproxy service not able to start.
http-response set-header location %[res.hdr(location),regsub(:8080/,/)] if {
res.hdr(location) -m found }
May 22 10:06:59 ies-esd-jiradc-loadb-stage haproxy-systemd-wrapper[28899]:
[WARNING] 141/100659 (28900) : parsing [/etc/haproxy/haproxy.cfg:28] :
'http-response' : sample fetch <res.hdr(location),regsub(:8080/,/)> failed with
: unknown conv method 'regsub'
May 22 10:06:59 ies-esd-jiradc-loadb-stage haproxy-systemd-wrapper[28899]:
[ALERT] 141/100659 (28900) : parsing [/etc/haproxy/haproxy.cfg:28] : error
detected while parsing an 'http-response set-header' condi
Regards,
Mahmoud Mortada
-----Original Message-----
From: Aleksandar Lazic [mailto:al-hapr...@none.at]
Sent: Wednesday, May 22, 2019 9:40 AM
To: Mortada, Mahmoud
<mahmoud_mort...@mentor.com<mailto:mahmoud_mort...@mentor.com>>
Cc: haproxy@formilux.org<mailto:haproxy@formilux.org>
Subject: Re: haproxy configuration issue
Hi Mahmoud.
Am 21.05.2019 um 14:57 schrieb Mortada, Mahmoud:
> Hi Aleksandar,
>
> Thanks for your reply.
>
> My main issue when I tried to access
> http://ies-esd-jiradc-loadb-stage.ies.mentorg.com:8080 it works but
> redirect me to https://ies-esd-jiradc-loadb-stage.ies.mentorg.com:8080
> I don’t want to have 8080 on the https link.
Have you setup jira to run behind reverse proxy, because the redirect could
also be come from JIRA?
https://confluence.atlassian.com/kb/reverse-proxy-and-application-link-troubleshooting-guide-719095279.html
> Can you please let me know what modification I need to have on my
> haproxy.cfg file in order to fix this ?
>
> Also I applied what you advise below and split http and https frontend and
> backend.
>
> [root@ies-esd-jiradc-loadb-stage haproxy]# cat haproxy.cfg
>
> global
>
> pidfile /var/run/haproxy.pid
> maxconn 4000
> user haproxy
> group haproxy
> daemon
> tune.ssl.default-dh-param 2048
>
> defaults
> log global
> mode http
> option dontlognull
> option redispatch
> option http-ignore-probes
> retries 3
> timeout http-request 10s
> timeout queue 1m
> timeout connect 10s
> timeout client 1m
> timeout server 1m
> timeout http-keep-alive 10s
> timeout check 10s
> maxconn 3000
> errorfile 408 /dev/null # Workaround for
> Chrome 35-36 bug. See
> http://blog.haproxy.com/2014/05/26/haproxy-and-http-errors-408-in-chro
> me/
>
> frontend jira_http_frontend
>
> bind *:80
> bind *:8080 ssl crt /etc/cert.pem
> redirect scheme https if !{ ssl_fc }
I would try this in haproxy.
http-response set-header location %[res.hdr(location),regsub(:8080/,/)] if {
res.hdr(location) -m found }
found here
https://stackoverflow.com/questions/53418024/haproxy-remove-port-number-from-url
> default_backend jira_http_backend
>
> backend jira_http_backend
>
> option httplog
You should get here a warning, move it to global.
> option httpchk GET /status
> option forwardfor
> option http-server-close
> balance roundrobin
>
> cookie JSESSIONID prefix nocache
>
> stick-table type string len 52 size 5M expire 30m
>
> http-request set-header X-Forwarded-Port %[dst_port]
>
> http-request add-header X-Forwarded-Proto https if { ssl_fc }
>
> server ies-esd-jiradc-node1-stage.ies.mentorg.com
> 10.249.2.152:8080 check cookie
> ies-esd-jiradc-node1-stage.ies.mentorg.com
>
> # The following "backup" servers are just here to show the startup
> page when all nodes are starting up
>
> server ies-esd-jiradc-node1-stage.ies.mentorg.com
> 10.249.2.152:8080 backup
>
>
> frontend jira_https_frontend
>
> bind *:443 ssl crt /etc/cert.pem
> default_backend jira_https_backend
>
> backend jira_https_backend
>
> option httplog
You should get here a warning, move it to global.
> option httpchk GET /status
> option forwardfor
> option http-server-close
> balance roundrobin
>
> cookie JSESSIONID prefix nocache
>
> stick-table type string len 52 size 5M expire 30m
>
> server ies-esd-jiradc-node1-stage.ies.mentorg.com
> 10.249.2.152:8080 check cookie
> ies-esd-jiradc-node1-stage.ies.mentorg.com
>
> # The following "backup" servers are just here to show the startup
> page when all nodes are starting up
>
> server ies-esd-jiradc-node1-stage.ies.mentorg.com
> 10.249.2.152:8080 backup
>
> listen admin
>
> mode http
> bind *:8090
> stats enable
> stats uri /
>
> Regards,
>
> Mahmoud Mortada
Hth
Aleks
> -----Original Message-----
> From: Aleksandar Lazic [mailto:al-hapr...@none.at]
> Sent: Tuesday, May 21, 2019 2:45 PM
> To: Mortada, Mahmoud
> <mahmoud_mort...@mentor.com<mailto:mahmoud_mort...@mentor.com>>;
> haproxy@formilux.org<mailto:haproxy@formilux.org>;
> wi...@haproxy.org<mailto:wi...@haproxy.org>
> Subject: Re: haproxy configuration issue
>
>
>
> Hi.
>
>
>
> Am 20.05.2019 um 17:04 schrieb Mortada, Mahmoud:
>
>> Hi All,
>
>>
>
>> I am using haproxy version 1.5.18 with Atlassian Jira data center.
>
>>
>
>> [root@ies-esd-jiradc-loadb-stage haproxy]# haproxy -version
>
>>
>
>> HA-Proxy version 1.5.18 2016/05/10
>
>>
>
>> Copyright 2000-2016 Willy Tarreau <wi...@haproxy.org
>> <mailto:wi...@haproxy.org>>
>
>>
>
>> Please find below haproxy.cfg configuration I have:
>
>>
>
>> I am trying to enable https for Jira.
>
>
>
> Do you mean you want to use TLS on the tomcat server or you want that
> HAProxy terminate TLS and talk to JIRA via plain http?
>
>
>
>> I want to redirect all jira links using http with 8080 or without
>> 8080
>
>> port in the link to https
>
>
>
> This
>
>
>
>> Current status using below haproxy.cfg:
>
>>
>
>> https link working fine
>
>>
>
>> http link without 8080 port redirect automatically to https working
>
>> fine
>
>>
>
>> I am only having issue then try to access http link with 8080 port it
>
>> redirect me to https link but with 8080 port show up on the link and
>> I
>
>> don’t want to 8080 port show up after redirection to https.
>
>>
>
>> Can you please advise ?
>
>
>
>
>
>
>
>> [root@ies-esd-jiradc-loadb-stage haproxy]# cat haproxy.cfg
>
>>
>
>> global
>
>>
>
>> pidfile /var/run/haproxy.pid
>
>>
>
>> maxconn 4000
>
>>
>
>> user haproxy
>
>>
>
>> group haproxy
>
>>
>
>> daemon
>
>>
>
>> tune.ssl.default-dh-param 1024
>
>
>
> I would increase this at least to 2048
>
>
>
>> defaults
>
>>
>
>> log global
>
>>
>
>> mode http
>
>>
>
>> option dontlognull
>
>>
>
>> option redispatch
>
>>
>
>> retries 3
>
>>
>
>> timeout http-request 10s
>
>>
>
>> timeout queue 1m
>
>>
>
>> timeout connect 10s
>
>>
>
>> timeout client 1m
>
>>
>
>> timeout server 1m
>
>>
>
>> timeout http-keep-alive 10s
>
>>
>
>> timeout check 10s
>
>>
>
>> maxconn 3000
>
>>
>
>> errorfile 408 /dev/null # Workaround for
>
>> Chrome 35-36 bug. See
>
>> http://blog.haproxy.com/2014/05/26/haproxy-and-http-errors-408-in-chr
>> o
>
>> me/
>
>
>
> I would use here `option http-ignore-probes`.
>
>
>
>> frontend jira_http_frontend
>
>>
>
>> bind *:8080 ssl crt /etc/cert.pem
>
>>
>
>> bind *:443 ssl crt /etc/cert.pem
>
>>
>
>> acl secure dst_port eq 443
>
>>
>
>> redirect scheme https if !{ ssl_fc }
>
>>
>
>> rspadd Strict-Transport-Security:\ max-age=31536000;\
>
>> includeSubDomains;\ preload
>
>>
>
>> rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
>
>
>
> Maybe this helps.
>
>
>
> #
> https://cbonte.github.io/haproxy-dconv/1.9/configuration.html#7.3.6-ur
> l
>
> http-request set-path /%[url]
>
>
>
>> default_backend jira_http_backend
>
>>
>
>>
>
>> backend jira_http_backend
>
>>
>
>> option httplog
>
>> option httpchk GET /status
>
>> option forwardfor
>
>> option http-server-close
>
>> balance roundrobin
>
>> cookie JSESSIONID prefix nocache
>
>> stick-table type string len 52 size 5M expire 30m
>
>> http-request set-header X-Forwarded-Port %[dst_port]
>
>> http-request add-header X-Forwarded-Proto https if { ssl_fc }
>
>> server ies-esd-jiradc-node1-stage.ies.mentorg.com
>
>> 10.249.2.152:8080 check cookie
>
>> ies-esd-jiradc-node1-stage.ies.mentorg.com
>
>> # The following "backup" servers are just here to show the
>> startup
>
>> page when all nodes are starting up
>
>> server ies-esd-jiradc-node1-stage.ies.mentorg.com
>
>> 10.249.2.152:8080 backup
>
>>
>
>> listen admin
>
>> bind *:8090
>
>> stats enable
>
>> stats uri /
>
>>
>
>> Regards,
>
>>
>
>> Mahmoud Mortada
>
>
>
> HTH
>
> Aleks
>
