Re: [*EXT*] Re: haproxy hiding url/minio
Hi All, On Fri, Dec 25, 2020 at 6:37 PM Willy Tarreau wrote: > On Thu, Dec 24, 2020 at 06:04:05PM +0500, ??? wrote: > > as far as I recall, AWS4 uses digitally signed several headers. if you > > change some of those headers, security is broken so you get 401. > > I'm not sure it allows to change URL on the fly or not. > > > > but I recall proxying S3 pretty complicated task. > > > > should we document best practices how to reverse proxy S3 ? > > Probably. Another useful thing to put into the wiki. > Thanks for all the info, url gave me issues, using path fixed it. Thanks again for your replies here, it's really appreciated. Have a good day, and Merry Christmas. Cheers Jonathan > > Willy >
Re: [*EXT*] Re: haproxy hiding url/minio
On Thu, Dec 24, 2020 at 06:04:05PM +0500, ??? wrote: > as far as I recall, AWS4 uses digitally signed several headers. if you > change some of those headers, security is broken so you get 401. > I'm not sure it allows to change URL on the fly or not. > > but I recall proxying S3 pretty complicated task. > > should we document best practices how to reverse proxy S3 ? Probably. Another useful thing to put into the wiki. Willy
Re: haproxy hiding url/minio
Hi Jonathan, On Thu, Dec 24, 2020 at 02:52:23PM +1300, Jonathan Opperman wrote: > > Should it be: > > > > http-request set-path %[url,regsub(^/storage,/minio)] > > > > ? > > > > Cheers > > Jonathan > > > > Answering myself here, it is, and it works :) Be careful, set-path only sets the path component, but "url" returns the URI as received. For H1 you'll most often see the same thing as the path, but you could also have absolute URIs. For H2 you'll always have absolute URIs. I suggest that you use %[path,regsub...] instead. This way you set the path to the previous path on which you apply a transformation, which is what you want to do. Willy
Re: [*EXT*] Re: haproxy hiding url/minio
as far as I recall, AWS4 uses digitally signed several headers. if you change some of those headers, security is broken so you get 401. I'm not sure it allows to change URL on the fly or not. but I recall proxying S3 pretty complicated task. should we document best practices how to reverse proxy S3 ? чт, 24 дек. 2020 г. в 18:01, Ionel GARDAIS : > I would have add the trailing slash to avoid "/storages" being rewote. > 'http-request set-path %[regsub(^/storage/,/minio/)]' > > -- > Ionel > > - Mail original - > De: "Chad Lavoie" > À: "haproxy" > Cc: "Jonathan Opperman" > Envoyé: Jeudi 24 Décembre 2020 02:04:57 > Objet: [*EXT*] Re: haproxy hiding url/minio > > Greetings, > > On 12/23/2020 7:10 PM, Jonathan Opperman wrote: > > > > Works perfectly fine, what is the best way to hide /minio so it will > > rather say /storage so externally > > I hide the fact that we are using minio? > > You can do that by using 'http-request set-path > %[regsub(^/storage,/minio)]' to rewrite the path that the backend sees > from what the client sent. > > - Chad > -- > 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON > Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301 > > >
Re: [*EXT*] Re: haproxy hiding url/minio
I would have add the trailing slash to avoid "/storages" being rewote. 'http-request set-path %[regsub(^/storage/,/minio/)]' -- Ionel - Mail original - De: "Chad Lavoie" À: "haproxy" Cc: "Jonathan Opperman" Envoyé: Jeudi 24 Décembre 2020 02:04:57 Objet: [*EXT*] Re: haproxy hiding url/minio Greetings, On 12/23/2020 7:10 PM, Jonathan Opperman wrote: > > Works perfectly fine, what is the best way to hide /minio so it will > rather say /storage so externally > I hide the fact that we are using minio? You can do that by using 'http-request set-path %[regsub(^/storage,/minio)]' to rewrite the path that the backend sees from what the client sent. - Chad -- 232 avenue Napoleon BONAPARTE 92500 RUEIL MALMAISON Capital EUR 219 300,00 - RCS Nanterre B 408 832 301 - TVA FR 09 408 832 301
Re: haproxy hiding url/minio
Hi Chad, On Thu, Dec 24, 2020 at 2:46 PM Jonathan Opperman wrote: > Hi Chad, > > On Thu, Dec 24, 2020 at 2:04 PM Chad Lavoie wrote: > >> Greetings, >> >> On 12/23/2020 7:10 PM, Jonathan Opperman wrote: >> > >> > Works perfectly fine, what is the best way to hide /minio so it will >> > rather say /storage so externally >> > I hide the fact that we are using minio? >> >> You can do that by using 'http-request set-path >> %[regsub(^/storage,/minio)]' to rewrite the path that the backend sees >> from what the client sent. >> > > Thank you for the quick response, appreciate it. Tried to add it but got: > > parsing [/etc/haproxy/haproxy.cfg:172] : error detected in frontend > 'ft_https' while parsing 'http-request set-path' rule : failed to parse > sample expression : unknown fetch method > 'regsub'. > > Should it be: > > http-request set-path %[url,regsub(^/storage,/minio)] > > ? > > Cheers > Jonathan > Answering myself here, it is, and it works :) Thanks for that, appreciate it. Regards, Jonathan > > >> - Chad >> >>
Re: haproxy hiding url/minio
Hi Chad, On Thu, Dec 24, 2020 at 2:04 PM Chad Lavoie wrote: > Greetings, > > On 12/23/2020 7:10 PM, Jonathan Opperman wrote: > > > > Works perfectly fine, what is the best way to hide /minio so it will > > rather say /storage so externally > > I hide the fact that we are using minio? > > You can do that by using 'http-request set-path > %[regsub(^/storage,/minio)]' to rewrite the path that the backend sees > from what the client sent. > Thank you for the quick response, appreciate it. Tried to add it but got: parsing [/etc/haproxy/haproxy.cfg:172] : error detected in frontend 'ft_https' while parsing 'http-request set-path' rule : failed to parse sample expression : unknown fetch method 'regsub'. Should it be: http-request set-path %[url,regsub(^/storage,/minio)] ? Cheers Jonathan > - Chad > >
Re: haproxy hiding url/minio
Greetings, On 12/23/2020 7:10 PM, Jonathan Opperman wrote: Works perfectly fine, what is the best way to hide /minio so it will rather say /storage so externally I hide the fact that we are using minio? You can do that by using 'http-request set-path %[regsub(^/storage,/minio)]' to rewrite the path that the backend sees from what the client sent. - Chad
haproxy hiding url/minio
Hi All, Wanted to get some advice if this is even possible? Want to route https://www.portal.example/minio to a minio instance in the backend. Running haproxy 1.8 configured an acl acl PATH_minio path_beg -i /minio then using backend: use_backend bk_minio_portal if portal PATH_minio backend bk_minio_portal source 0.0.0.0 server 10.11.0.33 10.11.0.33:9000 Works perfectly fine, what is the best way to hide /minio so it will rather say /storage so externally I hide the fact that we are using minio? Thanks in advance for your suggestions :) Cheers Jonathan