[HAP 2.3.8] some missunderstandint of Session state and server correlation

Sat, 27 Mar 2021 05:53:28 -0700 

Hi.

As I understand the LH and LR combo right should no server be involved.
I expected in the https-in line also a "<NOSRV>" but there is the 
"be_default/default_prim".
Do I missunderstand the 'L' flag which is described as below

```
the session was locally processed by haproxy and was not passed to
a server. This is what happens for stats and redirects.
```

<Cient-IP> is always the same.

Mar 27 13:33:35 lb1 haproxy[634]: <Cient-IP>:58572 [27/Mar/2021:13:33:35.713]
http-in http-in/<NOSRV> 0/-1/-1/-1/0 301 121 - - LR-- 964/2/0/0/0 0/0
{|Mozilla/5.0 (compatible; Googlebot/2.1; 
+http://www.google.com/bot.html)|<Host>}
"GET /robots.txt HTTP/1.1"

Mar 27 13:33:35 lb1 haproxy[634]: <Cient-IP>:58572 [27/Mar/2021:13:33:35.713]
http-in http-in/<NOSRV> 0/-1/-1/-1/0 301 121 - - LR-- 964/2/0/0/0 0/0
{|Mozilla/5.0 (compatible; Googlebot/2.1; 
+http://www.google.com/bot.html)|<Host>}
"GET /robots.txt HTTP/1.1"

Mar 27 13:33:35 lb1 haproxy[634]: ::ffff:<Cient-IP>:36964 
[27/Mar/2021:13:33:35.837]
https-in~ be_default/default_prim 0/0/44/-1/57 200 266 - - LH-- 971/946/2/2/0 
0/0
{|Mozilla/5.0 (compatible; Googlebot/2.1; 
+http://www.google.com/bot.html)|<Host>|128|TLS_AES_128_GCM_SHA256|TLSv1.3|<SNI>}
"GET /robots.txt HTTP/1.1"

Mar 27 13:33:35 lb1 haproxy[634]: ::ffff:<Cient-IP>:36964 
[27/Mar/2021:13:33:35.837]
https-in~ be_default/default_prim 0/0/44/-1/57 200 266 - - LH-- 971/946/2/2/0 
0/0
{|Mozilla/5.0 (compatible; Googlebot/2.1; 
+http://www.google.com/bot.html)|<Host>|128|TLS_AES_128_GCM_SHA256|TLSv1.3|<SNI>}
"GET /robots.txt HTTP/1.1"

It's haproxy 2.3.8 and this is are the frontend sections.

```
frontend http-in
  bind *:80

  http-request capture req.fhdr(Referer) len 128
  http-request capture req.fhdr(User-Agent) len 256
  http-request capture req.hdr(host) len 148
  http-request set-var(txn.req_path) path

  http-response return content-type text/plain string "User-agent: *\nAllow: 
/\n" if { var(txn.req_path) /robots.txt }
  http-response return status 404 if { var(txn.req_path) /sitemap.txt }

  acl host_redir hdr(host),map(/etc/haproxy/redirect.map) -m found
  http-request redirect code 301 location 
%[req.hdr(host),map(/etc/haproxy/redirect.map)] if host_redir

  http-request redirect code 301 location 
https://%[hdr(host)]%[capture.req.uri] if ! { path_beg 
/.well-known/acme-challenge/ }

  use_backend be_nginx if { path_beg /.well-known/acme-challenge/ }

frontend https-in

  bind :::443 v4v6 alpn h2,http/1.1 ssl ca-file 
/etc/haproxy/letsencryptauthorityx3.pem crt /etc/ssl/haproxy/

  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }

  http-request deny if { src -f /etc/haproxy/denylist.acl }

  http-request set-var(txn.req_path) path

  http-response return content-type text/plain string "User-agent: *\nAllow: 
/\n" if { var(txn.req_path) /robots.txt }
  http-response return status 404 if { var(txn.req_path) /sitemap.txt }

  # Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
  http-request del-header Proxy

  # collect ssl infos.
  http-request set-var(txn.cap_alg_keysize) ssl_fc_alg_keysize
  http-request set-var(txn.cap_cipher) ssl_fc_cipher
  http-request set-var(txn.cap_protocol) ssl_fc_protocol

  declare capture request len 128
  declare capture request len 256
  declare capture request len 148
  declare capture request len 148
  declare capture request len 148
  declare capture request len 148

  http-request capture req.hdr(host) len 148

  # Add CORS response header
  acl is_cors_preflight method OPTIONS
  http-response add-header Access-Control-Allow-Origin "*" if is_cors_preflight
  http-response add-header Access-Control-Allow-Methods "GET,POST" if 
is_cors_preflight
  http-response add-header Access-Control-Allow-Credentials "true" if 
is_cors_preflight
  http-response add-header Access-Control-Max-Age "600" if is_cors_preflight

  # 
https://www.haproxy.com/blog/haproxy-and-http-strict-transport-security-hsts-header-in-http-redirects/
  http-response set-header Strict-Transport-Security "max-age=15768000; 
includeSubDomains"
  http-response set-header X-Frame-Options      "SAMEORIGIN"
  http-response set-header X-Xss-Protection     "1; mode=block"
  http-response set-header X-Content-Type-Options       "nosniff"
  http-response set-header Referrer-Policy      "origin-when-cross-origin"

  use_backend be_nginx if { path_beg /.well-known/acme-challenge/ }
  use_backend 
%[req.hdr(host),lower,map(/etc/haproxy/haproxy_backend.map,be_default)]

```

regards
Alex

Reply via email to