Redirect Loop when using X-Forwarded-Proto header.

2011-03-29 Thread Ben Timby 
I am using haproxy in combination with stunnel to perform SSL. My
backend servers expect an X-Forwarded-Proto: https header to indicate
that the request was sent over SSL. If this header is missing, the
request is redirected to the https:// flavor of the URL.

However, with haproxy-1.5-dev5, I am seeing that the header is only
added to the first request of the connection. Subsequent requests are
missing this header. Below is an example from a tcpdump.

--
GET /private/ HTTP/1.1
Host: beta.mysite.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML,
like Gecko) Chrome/11.0.696.16 Safari/534.24
Accept: 
application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sessionid=03412c52b518e63558dc3d2418b52dc9
X-Forwarded-Proto: http
X-Forwarded-For: 10.10.10.10

HTTP/1.1 302 FOUND
Date: Tue, 29 Mar 2011 16:28:45 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: sessionid=03412c52b518e63558dc3d2418b52dc9; expires=Tue,
29-Mar-2011 16:48:45 GMT; Max-Age=1200; Path=/
Location: https://beta.mysite.com/private/
Content-Length: 0
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

GET /private/ HTTP/1.1
Host: beta.mysite.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML,
like Gecko) Chrome/11.0.696.16 Safari/534.24
Accept: 
application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sessionid=03412c52b518e63558dc3d2418b52dc9

HTTP/1.1 302 FOUND
Date: Tue, 29 Mar 2011 16:28:45 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: sessionid=03412c52b518e63558dc3d2418b52dc9; expires=Tue,
29-Mar-2011 16:48:45 GMT; Max-Age=1200; Path=/
Location: https://beta.mysite.com/private/
Content-Length: 0
Keep-Alive: timeout=3, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

...
--

This redirect loop runs until the browser interrupts it and displays
an error. My configuration follows:

--
listen http-vip00
bind192.168.1.1:80
bind127.0.0.1:81 accept-proxy
modehttp
option  httplog
balance roundrobin
reqidel ^X-Forwarded-For:.*
acl is-ssl  dst_port   81
reqadd  X-Forwarded-Proto:\ https if is-ssl
reqadd  X-Forwarded-Proto:\ http unless is-ssl
option  forwardfor
server  www1 10.19.78.18:80
--

I have not yet had a chance to see if the same thing happens with
previous versions of haproxy. Is this expected behavior or do I have
something misconfigured?

Re: Redirect Loop when using X-Forwarded-Proto header.

2011-03-29 Thread Ben Timby 
I found the issue. From the haproxy manual:

By default HAProxy operates in a tunnel-like mode with regards to persistent
connections: for each connection it processes the first request and forwards
everything else (including additional requests) to selected server. Once
established, the connection is persisted both on the client and server
sides. Use option http-server-close to preserve client persistent connections
while handling every incoming request individually, dispatching them one after
another to servers, in HTTP close mode. Use option httpclose to switch both
sides to HTTP close mode. option forceclose and option
http-pretend-keepalive help working around servers misbehaving in HTTP close
mode.

So:
option http-server-close

disables persistent connections to the backends, while keeping them
for the frontend. This allows haproxy to modify each request to the
backend and inject the needed headers.

Sorry for the waste of bandwidth :-).