Re: Apache Proxypass mimicing ?
Le 22-Feb-2021 14:02:46 +0100, al-hapr...@none.at a crit:
Hi.
On 22.02.21 01:31, Igor Cicimov wrote:
>
> But if I do some configuration tweaks in "wp-config.php", like adding the
> following two lines :
> define('WP_HOME', 'https://front1.domain.local ');
> define('WP_SITEURL', 'https://front1.domain.local ');
>
> It seems to work correctly.
>
> It is not an acceptable solution however, as these WP instances will be
> managed by people who are not really tech-savvy.
>
> So I wonder if HAProxy could provide a setup with all the required
> modifications,
> rewritings, ... allowing both worlds to coexist in a transparent way :
> - usable WP site while browsing the "real" URLs from the backend
> - usable WP site while browsing through HAProxy.
>
> Right now WP is my concern, but I am sure this is a reusable "pattern" for
> future needs.
>
> Regards
>
>
> This is a requirement for most apps behind a reverse proxy -- you simply have
> to
> tell the app that it is behind a reverse proxy so it can set correct links
> where needed.
>
> In your case if you google for "wordpress behind reverse proxy" I'm sure
> you'll
> get a ton of resources that can point you in the right direction for your use
> case like using X-FORWARD headers for example or whatever suits you.
>Full Ack to Igor's statment.
>A a further Idea maybe you can replace the response.
>http://cbonte.github.io/haproxy-dconv/2.3/configuration.html#4.2-http-response%20replace-header
>http://cbonte.github.io/haproxy-dconv/2.3/configuration.html#4.2-http-response%20replace-value
>It could be tricky for a huge amount of hosts, due to this fact I suggest to
>setup WP with WP_HOME and WP_SITEURL which is possible via wp-admin via GUI :-)
>You can also create a smal setup tool which adds the values to the wp_config
>and
>add the haproxy map entry for the domain.
>Regards
>Alex
Hi,
Thank you all for these answers, I cannot defeat PHP world :-)
So I will indeed generate the required configurations for around 40 instances
with a small tool named Ansible :-)))
Regards
-
FreeMail powered by mail.fr
Re: Apache Proxypass mimicing ?
Hi.
On 22.02.21 01:31, Igor Cicimov wrote:
But if I do some configuration tweaks in "wp-config.php", like adding the
following two lines :
define('WP_HOME', 'https://front1.domain.local
');
define('WP_SITEURL', 'https://front1.domain.local
');
It seems to work correctly.
It is not an acceptable solution however, as these WP instances will be
managed by people who are not really tech-savvy.
So I wonder if HAProxy could provide a setup with all the required modifications,
rewritings, ... allowing both worlds to coexist in a transparent way :
- usable WP site while browsing the "real" URLs from the backend
- usable WP site while browsing through HAProxy.
Right now WP is my concern, but I am sure this is a reusable "pattern" for
future needs.
Regards
This is a requirement for most apps behind a reverse proxy -- you simply have to
tell the app that it is behind a reverse proxy so it can set correct links where needed.
In your case if you google for "wordpress behind reverse proxy" I'm sure you'll
get a ton of resources that can point you in the right direction for your use
case like using X-FORWARD headers for example or whatever suits you.
Full Ack to Igor's statment.
A a further Idea maybe you can replace the response.
http://cbonte.github.io/haproxy-dconv/2.3/configuration.html#4.2-http-response%20replace-header
http://cbonte.github.io/haproxy-dconv/2.3/configuration.html#4.2-http-response%20replace-value
It could be tricky for a huge amount of hosts, due to this fact I suggest to
setup WP with WP_HOME and WP_SITEURL which is possible via wp-admin via GUI :-)
You can also create a smal setup tool which adds the values to the wp_config and
add the haproxy map entry for the domain.
Regards
Alex
Vote for us as RegTech Partner of
the Year at the British Bank Awards!
Know Your Customer due diligence on demand, powered by intelligent process
automation
Blogs
Encompass Corporation UK Ltd | Company No. SC493055 | Address: Level 3, 33
Bothwell Street, Glasgow, UK, G2 6NL
Encompass Corporation Pty Ltd | ACN 140 556 896 | Address: Level 10, 117
Clarence Street, Sydney, New South Wales, 2000
This email and any attachments is intended only for the use of the individual
or entity named above and may contain confidential information.
If you are not the intended recipient, any dissemination, distribution or
copying of this email is prohibited.
If received in error, please notify us immediately by return email and destroy
the original message.
Re: Apache Proxypass mimicing ?
> But if I do some configuration tweaks in "wp-config.php", like adding the
> following two lines :
> define('WP_HOME', 'https://front1.domain.local');
> define('WP_SITEURL', 'https://front1.domain.local');
>
> It seems to work correctly.
>
> It is not an acceptable solution however, as these WP instances will be
> managed by people who are not really tech-savvy.
>
> So I wonder if HAProxy could provide a setup with all the required
> modifications, rewritings, ... allowing both worlds to coexist in a
> transparent way :
> - usable WP site while browsing the "real" URLs from the backend
> - usable WP site while browsing through HAProxy.
>
> Right now WP is my concern, but I am sure this is a reusable "pattern" for
> future needs.
>
> Regards
>
This is a requirement for most apps behind a reverse proxy -- you simply
have to tell the app that it is behind a reverse proxy so it can set
correct links where needed.
In your case if you google for "wordpress behind reverse proxy" I'm sure
you'll get a ton of resources that can point you in the right direction for
your use case like using X-FORWARD headers for example or whatever suits
you.
--
Vote for us as RegTech
Partner of the Year at the British Bank Awards!
Know Your Customer
due diligence on demand, powered by intelligent process automation
Blogs
Encompass Corporation UK Ltd |
Company No. SC493055 | Address: Level 3, 33 Bothwell Street, Glasgow, UK,
G2 6NL
Encompass Corporation Pty Ltd | ACN 140 556 896 | Address:
Level 10, 117 Clarence Street, Sydney, New South Wales, 2000
This email
and any attachments is intended only for the use of the individual or
entity named above and may contain confidential information.
If you are
not the intended recipient, any dissemination, distribution or copying of
this email is prohibited.
If received in error, please notify us
immediately by return email and destroy the original message.
Re: Apache Proxypass mimicing ?
[000f:0010]: expires: Wed, 11 Jan 1984 05:00:00 GMT
:back1.srvhdr[000f:0010]: cache-control: no-cache, must-revalidate,
max-age=0
:back1.srvhdr[000f:0010]: x-redirect-by: WordPress
:back1.srvhdr[000f:0010]: location:
https://back1.domain.local:8000/wp-login.php?redirect_to=https%3A%2F%2Ffront1.domain.local%2Fwp-admin%2F=1
:back1.srvhdr[000f:0010]: content-length: 0
:back1.srvhdr[000f:0010]: content-type: text/html; charset=UTF-8
:back1.srvcls[000f:0010]
:back1.clicls[000f:0010]
:back1.closed[000f:0010]
[ALERT] 049/083340 (175851) : sendmsg()/writev() failed in logger #1: No such
file or directory (errno=2)
0001:FE-https.accept(0009)=000f from [192.168.56.1:1446] ALPN=
---
But if I do some configuration tweaks in "wp-config.php", like adding the
following two lines :
define('WP_HOME', 'https://front1.domain.local');
define('WP_SITEURL', 'https://front1.domain.local');
It seems to work correctly.
It is not an acceptable solution however, as these WP instances will be managed
by people who are not really tech-savvy.
So I wonder if HAProxy could provide a setup with all the required
modifications, rewritings, ... allowing both worlds to coexist in a transparent
way :
- usable WP site while browsing the "real" URLs from the backend
- usable WP site while browsing through HAProxy.
Right now WP is my concern, but I am sure this is a reusable "pattern" for
future needs.
Regards
- Mail original -
De: "Aleksandar Lazic"
À: "spfma tech" , haproxy@formilux.org
Envoyé: Jeudi 18 Février 2021 16:34:18
Objet: Re: Apache Proxypass mimicing ?
HI.
On 18.02.21 10:12, spfma.t...@e.mail.fr wrote:
> Hi,
> I would like to setup a reverse proxy with SSL termination to allow something
> like :
> https://front1.domain proxying http://back1.otherdomain:8000 (and maybe one
> day back2)
> https://front2.domain proxying http://back3.otherdomain:5000
>
> Common things I already configured using Apache's mod_proxy.
> I am not an HAProxy expert, I only used it in tcp mode for simple and
> efficient load balancing.
I would suggest to take a look into the following articles.
https://www.haproxy.com/blog/how-to-map-domain-names-to-backend-server-pools-with-haproxy/
https://www.haproxy.com/blog/introduction-to-haproxy-maps/
> I have read this very interresting article
> https://www.haproxy.com/fr/blog/howto-write-apache-proxypass-rules-in-haproxy/
>
> but it seems directives belong to former versions, and I was not able to get
> the expected result.
>
> One of my important use-case is Apache backends hosting WordPress.
> There are numerous examples here and there, but I always end with URLs like
> https://front1.domain/wp-admin
> redirected to http://front1.domain:8000/wp-admin or
> https://back1.otherdomain:8000/wp-admin aso ...
>
> I know WP is redirecting to URLs related to it's configured URLs , so I guess
> some
> headers rewriting are required, but I don't know how to do that.
> I am looking for a generic way to perform the required rewrites, without
> depending
> on fixed URL patterns. Is it only possible with HAProxy ? Some very old posts
> suggested it was not, but there were from around nine years ago.
> I have not been able to find answers so far (some search results show
> appealing
> descriptions but sites are not responding) so I am looking for some help here.
Well you will need some pattern that the computer can follow.
For example based on which criteria should a program know what it should to on
the URL?
Request: https://front1.domain/wp-admin
Redirect to http://front1.domain:8000/wp-admin when what happen?
Send request to https://back1.otherdomain:8000/wp-admin when what happen?
I would start with that config
https://github.com/Tyrell66/SoHo/blob/master/haproxy-2020.05.02.cfg
Here a slightly adopted version.
```
frontend http-in
bind *:80
# Prevent DDoS
stick-table type ip size 100k expire 30s store http_req_rate(10s)
http-request track-sc0 src
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 }
http-request add-header X-Forwarded-Proto http
redirect scheme https if !{ ssl_fc }
frontend https-in
# /etc/haproxy/certs/ contains both .pem for default and second domain
names.
bind *:443 ...
http-response replace-header Location ^http://(.*)$ https://\1
http-request add-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Port 443
capture request header X-Forwarded-For len 15
# Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
http-request del-header Proxy
## Secure headers
https://blog.devcloud.hosting/securing-haproxy-and-nginx-via-http
Re: Apache Proxypass mimicing ?
HI.
On 18.02.21 10:12, spfma.t...@e.mail.fr wrote:
Hi,
I would like to setup a reverse proxy with SSL termination to allow something
like :
https://front1.domain proxying http://back1.otherdomain:8000 (and maybe one day
back2)
https://front2.domain proxying http://back3.otherdomain:5000
>
Common things I already configured using Apache's mod_proxy.
I am not an HAProxy expert, I only used it in tcp mode for simple and efficient
load balancing.
I would suggest to take a look into the following articles.
https://www.haproxy.com/blog/how-to-map-domain-names-to-backend-server-pools-with-haproxy/
https://www.haproxy.com/blog/introduction-to-haproxy-maps/
I have read this very interresting article https://www.haproxy.com/fr/blog/howto-write-apache-proxypass-rules-in-haproxy/
but it seems directives belong to former versions, and I was not able to get the expected result.
>
One of my important use-case is Apache backends hosting WordPress.
There are numerous examples here and there, but I always end with URLs like https://front1.domain/wp-admin
redirected to http://front1.domain:8000/wp-admin or https://back1.otherdomain:8000/wp-admin aso ...
>
I know WP is redirecting to URLs related to it's configured URLs , so I guess some
headers rewriting are required, but I don't know how to do that.
I am looking for a generic way to perform the required rewrites, without depending
on fixed URL patterns. Is it only possible with HAProxy ? Some very old posts
suggested it was not, but there were from around nine years ago.
I have not been able to find answers so far (some search results show appealing
descriptions but sites are not responding) so I am looking for some help here.
Well you will need some pattern that the computer can follow.
For example based on which criteria should a program know what it should to on
the URL?
Request: https://front1.domain/wp-admin
Redirect to http://front1.domain:8000/wp-admin when what happen?
Send request to https://back1.otherdomain:8000/wp-admin when what happen?
I would start with that config
https://github.com/Tyrell66/SoHo/blob/master/haproxy-2020.05.02.cfg
Here a slightly adopted version.
```
frontend http-in
bind *:80
# Prevent DDoS
stick-table type ip size 100k expire 30s store http_req_rate(10s)
http-request track-sc0 src
http-request deny deny_status 429 if { sc_http_req_rate(0) gt 20 }
http-request add-header X-Forwarded-Proto http
redirect scheme https if !{ ssl_fc }
frontend https-in
# /etc/haproxy/certs/ contains both .pem for default and second domain
names.
bind *:443 ...
http-response replace-header Location ^http://(.*)$ https://\1
http-request add-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Proto https
http-request set-header X-Forwarded-Port 443
capture request header X-Forwarded-For len 15
# Strip off Proxy headers to prevent HTTpoxy (https://httpoxy.org/)
http-request del-header Proxy
## Secure headers
https://blog.devcloud.hosting/securing-haproxy-and-nginx-via-http-headers-54020d460283
## Test your config with https://securityheaders.com/
## and https://observatory.mozilla.org/
http-response set-header X-XSS-Protection 1;mode=block
http-response set-header X-Content-Type-Options nosniff
http-response set-header Referrer-Policy no-referrer-when-downgrade
http-response set-header X-Frame-Options SAMEORIGIN
http-response del-header X-Powered-By
http-response del-header Server
# This line is for HSTS:
http-response set-header Strict-Transport-Security "max-age=63072000;
includeSubdomains; preload;"
use_backend %[req.hdr(host),lower,map(hosts.map,be_static)]
backend be_static
server default_static xxx.xxx.xx
backend be_domain1
http-request replace-uri ^/gc/(.*) /guacamole/\1
server host1 192.168.1.13:58080/guacamole/#
...
```
file hosts.map
```
front1.domain be_domain1
front2.domain be_domain2
```
You can also set maps for path and host with ports.
As you can see HAProxy should be able to full fill your requirement as long as
you can
define it for you and the program/Computer ;-)
Maybe this article could also help you to protect the WP installations for
attacks.
https://www.haproxy.com/blog/wordpress-cms-brute-force-protection-with-haproxy/
Thanks
Welcome
Alex
