Re: Haproxy running on ipv6 and http-in/
Hi Christoph,
Christoph Kukulies wrote on 2023-12-01 09:59:
>> Seems normal, status code is 301 and you have "redirect scheme https code
>> 301 if !{ ssl_fc }"
>> Is this what you expect or do you think there're some errors ?
>
> But the http-in/is bugging me.
This tells you that the request was accepted by and handled in the
http-in frontend without being forwarded to any backend
server.
This is expected since the request was answered by HAProxy
itself with the 301 redirect. The LR-- termination state in the log line
confirms this. To quote the documentation:
> LR The request was intercepted and locally handled by HAProxy. Generally
> it means that this was a redirect or a stats request.
All the best,
Holger
--
Holger JUST (he/him)
Re: Haproxy running on ipv6 and http-in/
Thanks, Jarno, for sorting this out. Running on ipv6 is probably obvious due to
the bind :::80 and bind :::443 statements.
This v4v6 extension I got from somewhere and is supposed to be Linux kernel
specific.
> Am 01.12.2023 um 07:56 schrieb Jarno Huuskonen :
>
> Hi,
>
> On Tue, 2023-11-28 at 16:29 +0100, Christoph Kukulies wrote:
>> I'm wondering why I see haproxy running on ipv6 (Ubuntu 22.04):
>>
>> Excerpt from haproxy.cfg:
>>
>> frontend http-in
>> #bind *:80
>> bind :::80 v4v6
>> #bind *:443 ssl crt /etc/haproxy/certs/xx.pem
>> bind :::443 v4v6 ssl crt /etc/haproxy/certs/xx.pem
>> bind quic4@0.0.0.0:443 name quic443 ssl crt
>> /etc/haproxy/certs/xxx.pem proto quic alpn h3,h3-29,h3-28,h3-27 npn
>> h3,h3-29,h3-28,h3-27 allow-0rtt curves secp521r1:secp384r1
>> http-response add-header alt-svc 'h3=":443"; ma=7200,h3-29=":443";
>> ma=7200,h3-Q050=":443"; ma=7200,h3-Q046=":443"; ma=7200,h3-
>> Q043=":443"; ma=7200,quic=":443"; ma=7200'
>>
>> http-request return status 200 content-type text/plain lf-string
>> "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-
>> known/acme-challenge/' }
>>
>
> This and "use_backend letsencrypt-backend if letsencrypt-acl" seem like
> duplicate and only one of them is used ?
>
>> # Redirect if HTTPS is *not* used
>> redirect scheme https code 301 if !{ ssl_fc }
>> acl letsencrypt-acl path_beg /.well-known/acme-challenge/
>>
>> use_backend letsencrypt-backend if letsencrypt-acl
>> default_backend website
>>
>> In my haproxy.log I see:
>>
>> Nov 28 16:10:19 mail haproxy[59727]: :::88.181.85.41:63772
>> [28/Nov/2023:16:10:19.728] http-in http-in/ 0/-1/-1/-1/0 301 97 - -
>> LR-- 1/1/0/0/0 0/0 "GET / HTTP/1.1"
>>
>> This stems from a request I did that way:
>>
>> curl http://www.kukulies.org
Re: Haproxy running on ipv6 and http-in/
Hi,
On Tue, 2023-11-28 at 16:29 +0100, Christoph Kukulies wrote:
> I'm wondering why I see haproxy running on ipv6 (Ubuntu 22.04):
>
> Excerpt from haproxy.cfg:
>
> frontend http-in
> # bind *:80
> bind :::80 v4v6
> # bind *:443 ssl crt /etc/haproxy/certs/xx.pem
> bind :::443 v4v6 ssl crt /etc/haproxy/certs/xx.pem
> bind quic4@0.0.0.0:443 name quic443 ssl crt
> /etc/haproxy/certs/xxx.pem proto quic alpn h3,h3-29,h3-28,h3-27 npn
> h3,h3-29,h3-28,h3-27 allow-0rtt curves secp521r1:secp384r1
> http-response add-header alt-svc 'h3=":443"; ma=7200,h3-29=":443";
> ma=7200,h3-Q050=":443"; ma=7200,h3-Q046=":443"; ma=7200,h3-
> Q043=":443"; ma=7200,quic=":443"; ma=7200'
>
> http-request return status 200 content-type text/plain lf-string
> "%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg '/.well-
> known/acme-challenge/' }
>
This and "use_backend letsencrypt-backend if letsencrypt-acl" seem like
duplicate and only one of them is used ?
> # Redirect if HTTPS is *not* used
> redirect scheme https code 301 if !{ ssl_fc }
> acl letsencrypt-acl path_beg /.well-known/acme-challenge/
>
> use_backend letsencrypt-backend if letsencrypt-acl
> default_backend website
>
> In my haproxy.log I see:
>
> Nov 28 16:10:19 mail haproxy[59727]: :::88.181.85.41:63772
> [28/Nov/2023:16:10:19.728] http-in http-in/ 0/-1/-1/-1/0 301 97 - -
> LR-- 1/1/0/0/0 0/0 "GET / HTTP/1.1"
>
> This stems from a request I did that way:
>
> curl http://www.kukulies.org
>
Seems normal, status code is 301 and you have "redirect scheme https code
301 if !{ ssl_fc }"
Is this what you expect or do you think there're some errors ?
-Jarno
--
Jarno Huuskonen
Haproxy running on ipv6 and http-in/
I'm wondering why I see haproxy running on ipv6 (Ubuntu 22.04):
Excerpt from haproxy.cfg:
frontend http-in
#bind *:80
bind :::80 v4v6
#bind *:443 ssl crt /etc/haproxy/certs/xx.pem
bind :::443 v4v6 ssl crt /etc/haproxy/certs/xx.pem
bind quic4@0.0.0.0:443 name quic443 ssl crt /etc/haproxy/certs/xxx.pem
proto quic alpn h3,h3-29,h3-28,h3-27 npn h3,h3-29,h3-28,h3-27 allow-0rtt curves
secp521r1:secp384r1
http-response add-header alt-svc 'h3=":443"; ma=7200,h3-29=":443";
ma=7200,h3-Q050=":443"; ma=7200,h3-Q046=":443"; ma=7200,h3-Q043=":443";
ma=7200,quic=":443"; ma=7200'
http-request return status 200 content-type text/plain lf-string
"%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n" if { path_beg
'/.well-known/acme-challenge/' }
# Redirect if HTTPS is *not* used
redirect scheme https code 301 if !{ ssl_fc }
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl
default_backend website
log /dev/log local2 debug
acl is_static path_beg /export/ /opencms/ /resources/ /javadoc/
/VAADIN/ /workplace /opencms-login/
acl is_website hdr_beg(host) -i www.kukulies.org
acl is_cmssite hdr_beg(host) -i cms.kukulies.org
use_backend website-static if is_website is_static
use_backend website if is_website
use_backend cmssite if is_cmssite
backend letsencrypt-backend
server letsencrypt 127.0.0.1:
backend website-static
server www.kukulies.org 127.0.0.1:8080
backend website
#http-request replace-header Destination ^([^\ :]*)\ /(.*) \1\
/opencms/\2
# http-request set-path /opencms%[path]
server www.kukulies.org 127.0.0.1:8080
backend cmssite
#http-request replace-header Destination ^([^\ :]*)\ /(.*) \1\
/opencms/\2
# http-request set-path /opencms%[path]
server cms.kukulies.org 127.0.0.1:8082
In my haproxy.log I see:
Nov 28 16:10:19 mail haproxy[59727]: :::88.181.85.41:63772
[28/Nov/2023:16:10:19.728] http-in http-in/ 0/-1/-1/-1/0 301 97 - - LR--
1/1/0/0/0 0/0 "GET / HTTP/1.1"
This stems from a request I did that way:
curl http://www.kukulies.org
Comments welcome.
--
Christoph
smime.p7s
Description: S/MIME cryptographic signature
