Re: Haproxy 1.4 url redirection issue
Amol,
The second log lines clearly shows that your application server is
redirecting your user :)
Baptiste
On Thu, Mar 6, 2014 at 4:53 AM, Amol wrote:
> so after looking at haproxy logs i noticed 2 things
>
> if i type www.xx.com there is 1 log entry
>
> haproxy[26387]: xx.11.11.118:62704 [05/Mar/2014:22:48:02.264] http-in
> if-https/if1-app 10734/0/0/403/11137 200 10448 - - --VN 20/20/3/1/0 0/0 "GET
> / HTTP/1.1"
>
>
> but when i type xx.com i see 2 log entries, that means a url redirection is
> taking place?
>
> haproxy[26387]: xx.11.11.118:62681 [05/Mar/2014:22:48:50.075] http-in
> if-http/if1-app 15670/0/0/265/15935 301 342 - - --VN 17/17/0/1/0 0/0 "GET /
> HTTP/1.1"
> haproxy[26387]: xx.xx.xx.240:54320 [05/Mar/2014:22:48:51.271] http-in
> if-https/if1-app 14872/0/1/417/15290 200 10448 - - --VN 18/18/1/1/0 0/0 "GET
> / HTTP/1.1"
>
>
>
> some parts of my config file..
>
> frontend http-in
> bind :80 name http
> bind :8000 name https # forwared by stunnel
> acl host_xx hdr(host) -i xx.com
> use_backend if-http if host_if
> default_backend if-https
>
> backend if-http
>
> acl secure dst_port eq 8000
> acl login_page path_beg /exzact
>
> redirect prefix https://xx.com if login_page !secure
>
>
>
>
>
> On Wednesday, March 5, 2014 4:08 PM, Amol wrote:
> Hi Neil,
> I tried something similar, by putting the servername and setting
> UseCanonicalName On...
> but what i observe is that when i access my website with just xx.com in the
> browser, it directs to https://www.xx.com
> but if i start fresh and access my website with www.xx.com and the next
> subsequent requests with xx.com always go to www.xx.com
>
> any clue?
>
> here is the apache default.conf
>
> ServerAdmin webmaster@localhost
> ServerName www.xxx.com
>
> DocumentRoot /var/www
>
> Options FollowSymLinks
> AllowOverride All
>
>
> setenv HTTPS on
> Options FollowSymLinks MultiViews
> AllowOverride All
> Order allow,deny
> allow from all
>
>
> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
>
> AllowOverride None
> Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
> Order allow,deny
> Allow from all
>
>
> ErrorLog /var/log/apache2/error.log
>
> # Possible values include: debug, info, notice, warn, error, crit,
> # alert, emerg.
> LogLevel warn
> ServerSignature Off
> UseCanonicalName On
>
> SetEnvIf Request_URI "^/check\.txt$" dontlog
> CustomLog /var/log/apache2/access.log combined env=!dontlog
>
> Alias /doc/ "/usr/share/doc/"
>
> Options MultiViews FollowSymLinks
> AllowOverride None
> Order deny,allow
> Deny from all
> Allow from 127.0.0.0/255.0.0.0 ::1/128
>
>
>
>
>
>
>
> On Monday, March 3, 2014 5:16 AM, Neil - HAProxy List
> wrote:
> Hello Amol
>
> Here is an example of the sort of thing I use
>
> The 3 important things for are
> ServerName https://servicename.domain.com:443
> SetEnv HTTPS on
> UseCanonicalName On
>
>
>
> ServerName https://servicename.domain.com:443
>
> ## Vhost docroot
> DocumentRoot /var/www/
>
> ## Directories, there should at least be a declaration for /var/www
>
>
> Options Indexes ExecCGI
> AllowOverride None
> Order allow,deny
> Allow from all
>
>
> ## Logging
> LogLevel warn
> ServerSignature Off
>
>
> ## Custom fragment
> This tricks PHP into believing the script was accessed over SSL
> SetEnv HTTPS on
>
> DirectoryIndex index.php
> UseCanonicalName On
>
> ErrorLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_error.log
> /var/log/apache2/%Y/servicename_error-%Y%m%d.log"
>
> LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
> direct
> LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
> \"%{User-Agent}i\"" proxied
> SetEnvIf Remote_Addr "^" direct # make it always set
> SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" !direct
> SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" proxied
> SetEnvIf Request_URI "^/healthcheck$" !direct
>
> # keep these SetEnvIf Request_URI "^/healthcheck$" !proxied
> CustomLog "|/usr/bin/cronolog --link
> /var/log/apache2/servicename_directaccess
> /var/log/apache2/%Y/servicename_directaccess-%Y%m%d.log" direct env=direct
> CustomLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_access
> /var/log/apache2/%Y/servicename_access-%Y%m%d.log" proxied env=proxied
>
>
>
> I like to log traffic from the loadbal separately to traffic from the public
> and I ignore /healthcheck from the loadbal but not from others. You'll need
> to tell haproxy to "option forwardfor". Also using cronolog.
>
> Neil
>
>
> On 1 March 2014 15:27, Baptiste wrote:
>
> Hi
>
> More chance to get an answer from Apache 2.2 and wordpress people...
>
> Baptiste
>
> On Fri, Feb 28, 2014 at 4:12 PM, Amol wrote:
>> well
Re: Haproxy 1.4 url redirection issue
so after looking at haproxy logs i noticed 2 things
if i type www.xx.com there is 1 log entry
haproxy[26387]: xx.11.11.118:62704 [05/Mar/2014:22:48:02.264] http-in
if-https/if1-app 10734/0/0/403/11137 200 10448 - - --VN 20/20/3/1/0 0/0 "GET /
HTTP/1.1"
but when i type xx.com i see 2 log entries, that means a url redirection is
taking place?
haproxy[26387]: xx.11.11.118:62681 [05/Mar/2014:22:48:50.075] http-in
if-http/if1-app 15670/0/0/265/15935 301 342 - - --VN 17/17/0/1/0 0/0 "GET /
HTTP/1.1"
haproxy[26387]: xx.xx.xx.240:54320 [05/Mar/2014:22:48:51.271] http-in
if-https/if1-app 14872/0/1/417/15290 200 10448 - - --VN 18/18/1/1/0 0/0 "GET /
HTTP/1.1"
some parts of my config file..
frontend http-in
bind :80 name http
bind :8000 name https # forwared by stunnel
acl host_xx hdr(host) -i xx.com
use_backend if-http if host_if
default_backend if-https
backend if-http
acl secure dst_port eq 8000
acl login_page path_beg /exzact
redirect prefix https://xx.com if login_page !secure
On Wednesday, March 5, 2014 4:08 PM, Amol wrote:
Hi Neil,
I tried something similar, by putting the servername and setting
UseCanonicalName On...
but what i observe is that when i access my website with just xx.com in the
browser, it directs to https://www.xx.com
but if i start fresh and access my website with www.xx.com and the next
subsequent requests with xx.com always go to www.xx.com
any clue?
here is the apache default.conf
ServerAdmin webmaster@localhost
ServerName www.xxx.com
DocumentRoot /var/www
Options FollowSymLinks
AllowOverride All
setenv HTTPS on
Options FollowSymLinks MultiViews
AllowOverride All
Order
allow,deny
allow from all
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
ServerSignature Off
UseCanonicalName On
SetEnvIf Request_URI "^/check\.txt$" dontlog
CustomLog
/var/log/apache2/access.log combined env=!dontlog
Alias /doc/ "/usr/share/doc/"
Options MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
On Monday, March 3, 2014 5:16 AM, Neil - HAProxy List
wrote:
Hello Amol
Here is an example of the sort of thing I use
The 3 important things for are
ServerName https://servicename.domain.com:443
SetEnv HTTPS on
UseCanonicalName On
ServerName https://servicename.domain.com:443
## Vhost docroot
DocumentRoot /var/www/
## Directories, there should at least be a declaration for /var/www
Options Indexes ExecCGI
AllowOverride None
Order allow,deny
Allow from all
## Logging
LogLevel warn
ServerSignature Off
## Custom fragment
This tricks PHP into believing the script was accessed over SSL
SetEnv HTTPS on
DirectoryIndex index.php
UseCanonicalName On
ErrorLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_error.log
/var/log/apache2/%Y/servicename_error-%Y%m%d.log"
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
direct
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" proxied
SetEnvIf Remote_Addr "^" direct # make it always set
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" !direct
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" proxied
SetEnvIf Request_URI "^/healthcheck$" !direct
# keep these SetEnvIf Request_URI "^/healthcheck$" !proxied
CustomLog "|/usr/bin/cronolog --link
/var/log/apache2/servicename_directaccess
/var/log/apache2/%Y/servicename_directaccess-%Y%m%d.log" direct env=direct
CustomLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_access
/var/log/apache2/%Y/servicename_access-%Y%m%d.log" proxied env=proxied
I like to log traffic from the loadbal separately to traffic from the public
and I ignore /healthcheck from the loadbal but not from others. You'll need to
tell haproxy to "option forwardfor". Also using cronolog.
Neil
On 1 March 2014 15:27, Baptiste wrote:
Hi
>
>More chance to get an answer from Apache 2.2 and wordpress people...
>
>Baptiste
>
>
>On Fri, Feb 28, 2014 at 4:12 PM, Amol wrote:
>> well the application behind haproxy in this case is wordpress on apache2.2,
>> any settings there?
>>
>>
>>
>>
>> On Friday, February 28, 2014 4:57 AM, Baptiste wrote:
>> It may not fix the issue.
>> But at least the configuration will do what you expect from it...
>>
>> That said, the issue may be in the application too :)
>> It is commonly seen that applications don't behave properly when SSL
>> offloading is en
Re: Haproxy 1.4 url redirection issue
Hi Neil,
I tried something similar, by putting the servername and setting
UseCanonicalName On...
but what i observe is that when i access my website with just xx.com in the
browser, it directs to https://www.xx.com
but if i start fresh and access my website with www.xx.com and the next
subsequent requests with xx.com always go to www.xx.com
any clue?
here is the apache default.conf
ServerAdmin webmaster@localhost
ServerName www.xxx.com
DocumentRoot /var/www
Options FollowSymLinks
AllowOverride All
setenv HTTPS on
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
ServerSignature Off
UseCanonicalName On
SetEnvIf Request_URI "^/check\.txt$" dontlog
CustomLog /var/log/apache2/access.log combined env=!dontlog
Alias /doc/ "/usr/share/doc/"
Options MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
On Monday, March 3, 2014 5:16 AM, Neil - HAProxy List
wrote:
Hello Amol
Here is an example of the sort of thing I use
The 3 important things for are
ServerName https://servicename.domain.com:443
SetEnv HTTPS on
UseCanonicalName On
ServerName https://servicename.domain.com:443
## Vhost docroot
DocumentRoot /var/www/
## Directories, there should at least be a declaration for /var/www
Options Indexes ExecCGI
AllowOverride None
Order allow,deny
Allow from all
## Logging
LogLevel warn
ServerSignature Off
## Custom fragment
This tricks PHP into believing the script was accessed over SSL
SetEnv HTTPS on
DirectoryIndex index.php
UseCanonicalName On
ErrorLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_error.log
/var/log/apache2/%Y/servicename_error-%Y%m%d.log"
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
direct
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" proxied
SetEnvIf Remote_Addr "^" direct # make it always set
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" !direct
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" proxied
SetEnvIf Request_URI "^/healthcheck$" !direct
# keep these SetEnvIf Request_URI "^/healthcheck$" !proxied
CustomLog "|/usr/bin/cronolog --link
/var/log/apache2/servicename_directaccess
/var/log/apache2/%Y/servicename_directaccess-%Y%m%d.log" direct env=direct
CustomLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_access
/var/log/apache2/%Y/servicename_access-%Y%m%d.log" proxied env=proxied
I like to log traffic from the loadbal separately to traffic from the public
and I ignore /healthcheck from the loadbal but not from others. You'll need to
tell haproxy to "option forwardfor". Also using cronolog.
Neil
On 1 March 2014 15:27, Baptiste wrote:
Hi
>
>More chance to get an answer from Apache 2.2 and wordpress people...
>
>Baptiste
>
>
>On Fri, Feb 28, 2014 at 4:12 PM, Amol wrote:
>> well the application behind haproxy in this case is wordpress on apache2.2,
>> any settings there?
>>
>>
>>
>>
>> On Friday, February 28, 2014 4:57 AM, Baptiste wrote:
>> It may not fix the issue.
>> But at least the configuration will do what you expect from it...
>>
>> That said, the issue may be in the application too :)
>> It is commonly seen that applications don't behave properly when SSL
>> offloading is enabled in front of them.
>>
>> Baptiste
>>
>>
>> On Thu, Feb 27, 2014 at 4:16 PM, Amol wrote:
>>> Thanks Baptiste, let me give that a try
>>>
>>>
>>>
>>> On Thursday, February 27, 2014 9:37 AM, Baptiste wrote:
>>> Hi Amol,
>>>
>>> There are a few improvement you can do.
>>> First update your frontend acl to:
>>> acl host_xx hdr(host) -i xx.com
>>>
>>> then in your backend, this ACL should never match: "acl login_page
>>> url_beg /xyz"
>>> replace url_beg by path_beg.
>>>
>>> Your problem is not there as well.
>>> I think your application server is sending hardcoded data or Location
>>> headers.
>>> analyzing the body of the pages and HAProxy logs may help here.
>>>
>>> Baptiste
>>>
>>>
>>>
>>> On Tue, Feb 25, 2014 at 4:56 PM, Amol wrote:
Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to
redirect
my website to "http"
requirement : when a user types in http://.com he should
not
be redirected to https://.com
currently it does that and some of the video links on our main page do
not
work (basically vimeo has http links while our page is https so it t
Re: Haproxy 1.4 url redirection issue
Hello Amol
Here is an example of the sort of thing I use
The 3 important things for are
ServerName https://servicename.domain.com:443
SetEnv HTTPS on
UseCanonicalName On
ServerName https://servicename.domain.com:443
## Vhost docroot
DocumentRoot /var/www/
## Directories, there should at least be a declaration for /var/www
Options Indexes ExecCGI
AllowOverride None
Order allow,deny
Allow from all
## Logging
LogLevel warn
ServerSignature Off
## Custom fragment
This tricks PHP into believing the script was accessed over SSL
SetEnv HTTPS on
DirectoryIndex index.php
UseCanonicalName On
ErrorLog "|/usr/bin/cronolog --link
/var/log/apache2/servicename_error.log
/var/log/apache2/%Y/servicename_error-%Y%m%d.log"
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\""
direct
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\"
\"%{User-Agent}i\"" proxied
SetEnvIf Remote_Addr "^" direct # make it always set
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" !direct
SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" proxied
SetEnvIf Request_URI "^/healthcheck$" !direct
# keep these SetEnvIf Request_URI "^/healthcheck$" !proxied
CustomLog "|/usr/bin/cronolog --link
/var/log/apache2/servicename_directaccess
/var/log/apache2/%Y/servicename_directaccess-%Y%m%d.log" direct env=direct
CustomLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_access
/var/log/apache2/%Y/servicename_access-%Y%m%d.log" proxied env=proxied
I like to log traffic from the loadbal separately to traffic from the
public and I ignore /healthcheck from the loadbal but not from others.
You'll need to tell haproxy to "option forwardfor". Also using cronolog.
Neil
On 1 March 2014 15:27, Baptiste wrote:
> Hi
>
> More chance to get an answer from Apache 2.2 and wordpress people...
>
> Baptiste
>
> On Fri, Feb 28, 2014 at 4:12 PM, Amol wrote:
> > well the application behind haproxy in this case is wordpress on
> apache2.2,
> > any settings there?
> >
> >
> >
> >
> > On Friday, February 28, 2014 4:57 AM, Baptiste wrote:
> > It may not fix the issue.
> > But at least the configuration will do what you expect from it...
> >
> > That said, the issue may be in the application too :)
> > It is commonly seen that applications don't behave properly when SSL
> > offloading is enabled in front of them.
> >
> > Baptiste
> >
> >
> > On Thu, Feb 27, 2014 at 4:16 PM, Amol wrote:
> >> Thanks Baptiste, let me give that a try
> >>
> >>
> >>
> >> On Thursday, February 27, 2014 9:37 AM, Baptiste
> wrote:
> >> Hi Amol,
> >>
> >> There are a few improvement you can do.
> >> First update your frontend acl to:
> >> acl host_xx hdr(host) -i xx.com
> >>
> >> then in your backend, this ACL should never match: "acl login_page
> >> url_beg /xyz"
> >> replace url_beg by path_beg.
> >>
> >> Your problem is not there as well.
> >> I think your application server is sending hardcoded data or Location
> >> headers.
> >> analyzing the body of the pages and HAProxy logs may help here.
> >>
> >> Baptiste
> >>
> >>
> >>
> >> On Tue, Feb 25, 2014 at 4:56 PM, Amol wrote:
> >>> Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to
> >>> redirect
> >>> my website to "http"
> >>> requirement : when a user types in http://.com he should
> >>> not
> >>> be redirected to https://.com
> >>> currently it does that and some of the video links on our main page do
> >>> not
> >>> work (basically vimeo has http links while our page is https so it
> throws
> >>> a
> >>> security exception)
> >>>
> >>> at the same time we need users with http://.com/xyz to
> be
> >>> redirected to https://.com/xyz (this helps users login
> to
> >>> secure application)
> >>>
> >>> so under my current configurations i cannot get the first part to work,
> >>> basically (www..com works and stays http but when i type
> >>> http://.com it does a redirection to https)
> >>>
> >>> frontend http-in
> >>>bind xx.xx.xx.xx:80 name http
> >>>bind 10.xx.xx.xx:8000 name https # forwared by stunnel
> >>>
> >>>acl host_xx hdr_beg(host) -i xx.com
> >>>use_backend xx-http if host_xx
> >>>default_backend xx-https
> >>>
> >>> backend xx-http
> >>>balance roundrobin
> >>>cookie BALANCEID insert indirect nocache
> >>>option http-server-close
> >>>option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www
> >>>server xx-app1 xx.xx.xx.xx:80 cookie A check
> >>>server xx-app6 xx.xx.xx.xx:80 cookie B check backup
> >>>acl secure dst_port eq 8000
> >>>acl login_page url_beg /xyz
> >>>redirect prefix https://xx.com if login_page !secure
> >>>
> >>> backend xx-https
> >>>mode http
> >>>balance roundrobin
> >>>cookie BALANCEID insert indirect nocache
> >>>option http-server-close
> >>># option forwardfor except 127.0.0.1
> >>>option httpchk OPTIONS /check.
Re: Haproxy 1.4 url redirection issue
Hi More chance to get an answer from Apache 2.2 and wordpress people... Baptiste On Fri, Feb 28, 2014 at 4:12 PM, Amol wrote: > well the application behind haproxy in this case is wordpress on apache2.2, > any settings there? > > > > > On Friday, February 28, 2014 4:57 AM, Baptiste wrote: > It may not fix the issue. > But at least the configuration will do what you expect from it... > > That said, the issue may be in the application too :) > It is commonly seen that applications don't behave properly when SSL > offloading is enabled in front of them. > > Baptiste > > > On Thu, Feb 27, 2014 at 4:16 PM, Amol wrote: >> Thanks Baptiste, let me give that a try >> >> >> >> On Thursday, February 27, 2014 9:37 AM, Baptiste wrote: >> Hi Amol, >> >> There are a few improvement you can do. >> First update your frontend acl to: >> acl host_xx hdr(host) -i xx.com >> >> then in your backend, this ACL should never match: "acl login_page >> url_beg /xyz" >> replace url_beg by path_beg. >> >> Your problem is not there as well. >> I think your application server is sending hardcoded data or Location >> headers. >> analyzing the body of the pages and HAProxy logs may help here. >> >> Baptiste >> >> >> >> On Tue, Feb 25, 2014 at 4:56 PM, Amol wrote: >>> Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to >>> redirect >>> my website to "http" >>> requirement : when a user types in http://.com he should >>> not >>> be redirected to https://.com >>> currently it does that and some of the video links on our main page do >>> not >>> work (basically vimeo has http links while our page is https so it throws >>> a >>> security exception) >>> >>> at the same time we need users with http://.com/xyz to be >>> redirected to https://.com/xyz (this helps users login to >>> secure application) >>> >>> so under my current configurations i cannot get the first part to work, >>> basically (www..com works and stays http but when i type >>> http://.com it does a redirection to https) >>> >>> frontend http-in >>>bind xx.xx.xx.xx:80 name http >>>bind 10.xx.xx.xx:8000 name https # forwared by stunnel >>> >>>acl host_xx hdr_beg(host) -i xx.com >>>use_backend xx-http if host_xx >>>default_backend xx-https >>> >>> backend xx-http >>>balance roundrobin >>>cookie BALANCEID insert indirect nocache >>>option http-server-close >>>option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >>>server xx-app1 xx.xx.xx.xx:80 cookie A check >>>server xx-app6 xx.xx.xx.xx:80 cookie B check backup >>>acl secure dst_port eq 8000 >>>acl login_page url_beg /xyz >>>redirect prefix https://xx.com if login_page !secure >>> >>> backend xx-https >>>mode http >>>balance roundrobin >>>cookie BALANCEID insert indirect nocache >>>option http-server-close >>># option forwardfor except 127.0.0.1 >>>option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >>>server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000 >>> check >>>server xx-app6 xx.xx.xx.xx:80 cookie s2 weight 1 maxconn 5000 >>> check >>> backup >>> >>> any suggestions? >>> >> >> >> > > >
Re: Haproxy 1.4 url redirection issue
well the application behind haproxy in this case is wordpress on apache2.2, any settings there? On Friday, February 28, 2014 4:57 AM, Baptiste wrote: It may not fix the issue. But at least the configuration will do what you expect from it... That said, the issue may be in the application too :) It is commonly seen that applications don't behave properly when SSL offloading is enabled in front of them. Baptiste On Thu, Feb 27, 2014 at 4:16 PM, Amol wrote: > Thanks Baptiste, let me give that a try > > > > On Thursday, February 27, 2014 9:37 AM, Baptiste wrote: > Hi Amol, > > There are a few improvement you can do. > First update your frontend acl to: > acl host_xx hdr(host) -i xx.com > > then in your backend, this ACL should never match: "acl login_page > url_beg /xyz" > replace url_beg by path_beg. > > Your problem is not there as well. > I think your application server is sending hardcoded data or Location > headers. > analyzing the body of the pages and HAProxy logs may help here. > > Baptiste > > > > On Tue, Feb 25, 2014 at 4:56 PM, Amol wrote: >> Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to >> redirect >> my website to "http" >> requirement : when a user types in http://.com he should not >> be redirected to https://.com >> currently it does that and some of the video links on our main page do not >> work (basically vimeo has http links while our page is https so it throws >> a >> security exception) >> >> at the same time we need users with http://.com/xyz to be >> redirected to https://.com/xyz (this helps users login to >> secure application) >> >> so under my current configurations i cannot get the first part to work, >> basically (www..com works and stays http but when i type >> http://.com it does a redirection to https) >> >> frontend http-in >> bind xx.xx.xx.xx:80 name http >> bind 10.xx.xx.xx:8000 name https # forwared by stunnel >> >> acl host_xx hdr_beg(host) -i xx.com >> use_backend xx-http if host_xx >> default_backend xx-https >> >> backend xx-http >> balance roundrobin >> cookie BALANCEID insert indirect nocache >> option http-server-close >> option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >> server xx-app1 xx.xx.xx.xx:80 cookie A check >> server xx-app6 xx.xx.xx.xx:80 cookie B check backup >> acl secure dst_port eq 8000 >> acl login_page url_beg /xyz >> redirect prefix https://xx.com if login_page !secure >> >> backend xx-https >> mode http >> balance roundrobin >> cookie BALANCEID insert indirect nocache >> option http-server-close >> # option forwardfor except 127.0.0.1 >> option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >> server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000 check >> server xx-app6 xx.xx.xx.xx:80 cookie s2 weight 1 maxconn 5000 check >> backup >> >> any suggestions? >> > > >
Re: Haproxy 1.4 url redirection issue
could it also be due to the apache settings on the application server where i have "setenv HTTPS on" ? here is a snippet from my apache2 default.conf file ServerAdmin webmaster@localhost DocumentRoot /var/www Options FollowSymLinks AllowOverride All setenv HTTPS on Options FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all On Friday, February 28, 2014 4:55 AM, Baptiste wrote: It may not fix the issue. But at least the configuration will do what you expect from it... That said, the issue may be in the application too :) It is commonly seen that applications don't behave properly when SSL offloading is enabled in front of them. Baptiste On Thu, Feb 27, 2014 at 4:16 PM, Amol wrote: > Thanks Baptiste, let me give that a try > > > > On Thursday, February 27, 2014 9:37 AM, Baptiste wrote: > Hi Amol, > > There are a few improvement you can do. > First update your frontend acl to: > acl host_xx hdr(host) -i xx.com > > then in your backend, this ACL should never match: "acl login_page > url_beg /xyz" > replace url_beg by path_beg. > > Your problem is not there as well. > I think your application server is sending hardcoded data or Location > headers. > analyzing the body of the pages and HAProxy logs may help here. > > Baptiste > > > > On Tue, Feb 25, 2014 at 4:56 PM, Amol wrote: >> Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to >> redirect >> my website to "http" >> requirement : when a user types in http://.com he should not >> be redirected to https://.com >> currently it does that and some of the video links on our main page do not >> work (basically vimeo has http links while our page is https so it throws >> a >> security exception) >> >> at the same time we need users with http://.com/xyz to be >> redirected to https://.com/xyz (this helps users login to >> secure application) >> >> so under my current configurations i cannot get the first part to work, >> basically (www..com works and stays http but when i type >> http://.com it does a redirection to https) >> >> frontend http-in >> bind xx.xx.xx.xx:80 name http >> bind 10.xx.xx.xx:8000 name https # forwared by stunnel >> >> acl host_xx hdr_beg(host) -i xx.com >> use_backend xx-http if host_xx >> default_backend xx-https >> >> backend xx-http >> balance roundrobin >> cookie BALANCEID insert indirect nocache >> option http-server-close >> option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >> server xx-app1 xx.xx.xx.xx:80 cookie A check >> server xx-app6 xx.xx.xx.xx:80 cookie B check backup >> acl secure dst_port eq 8000 >> acl login_page url_beg /xyz >> redirect prefix https://xx.com if login_page !secure >> >> backend xx-https >> mode http >> balance roundrobin >> cookie BALANCEID insert indirect nocache >> option http-server-close >> # option forwardfor except 127.0.0.1 >> option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >> server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000 check >> server xx-app6 xx.xx.xx.xx:80 cookie s2 weight 1 maxconn 5000 check >> backup >> >> any suggestions? >> > > >
Re: Haproxy 1.4 url redirection issue
It may not fix the issue. But at least the configuration will do what you expect from it... That said, the issue may be in the application too :) It is commonly seen that applications don't behave properly when SSL offloading is enabled in front of them. Baptiste On Thu, Feb 27, 2014 at 4:16 PM, Amol wrote: > Thanks Baptiste, let me give that a try > > > > On Thursday, February 27, 2014 9:37 AM, Baptiste wrote: > Hi Amol, > > There are a few improvement you can do. > First update your frontend acl to: > acl host_xx hdr(host) -i xx.com > > then in your backend, this ACL should never match: "acl login_page > url_beg /xyz" > replace url_beg by path_beg. > > Your problem is not there as well. > I think your application server is sending hardcoded data or Location > headers. > analyzing the body of the pages and HAProxy logs may help here. > > Baptiste > > > > On Tue, Feb 25, 2014 at 4:56 PM, Amol wrote: >> Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to >> redirect >> my website to "http" >> requirement : when a user types in http://.com he should not >> be redirected to https://.com >> currently it does that and some of the video links on our main page do not >> work (basically vimeo has http links while our page is https so it throws >> a >> security exception) >> >> at the same time we need users with http://.com/xyz to be >> redirected to https://.com/xyz (this helps users login to >> secure application) >> >> so under my current configurations i cannot get the first part to work, >> basically (www..com works and stays http but when i type >> http://.com it does a redirection to https) >> >> frontend http-in >>bind xx.xx.xx.xx:80 name http >>bind 10.xx.xx.xx:8000 name https # forwared by stunnel >> >>acl host_xx hdr_beg(host) -i xx.com >>use_backend xx-http if host_xx >>default_backend xx-https >> >> backend xx-http >>balance roundrobin >>cookie BALANCEID insert indirect nocache >>option http-server-close >>option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >>server xx-app1 xx.xx.xx.xx:80 cookie A check >>server xx-app6 xx.xx.xx.xx:80 cookie B check backup >>acl secure dst_port eq 8000 >>acl login_page url_beg /xyz >>redirect prefix https://xx.com if login_page !secure >> >> backend xx-https >>mode http >>balance roundrobin >>cookie BALANCEID insert indirect nocache >>option http-server-close >># option forwardfor except 127.0.0.1 >>option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >>server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000 check >>server xx-app6 xx.xx.xx.xx:80 cookie s2 weight 1 maxconn 5000 check >> backup >> >> any suggestions? >> > > >
Re: Haproxy 1.4 url redirection issue
Thanks Baptiste, let me give that a try On Thursday, February 27, 2014 9:37 AM, Baptiste wrote: Hi Amol, There are a few improvement you can do. First update your frontend acl to: acl host_xx hdr(host) -i xx.com then in your backend, this ACL should never match: "acl login_page url_beg /xyz" replace url_beg by path_beg. Your problem is not there as well. I think your application server is sending hardcoded data or Location headers. analyzing the body of the pages and HAProxy logs may help here. Baptiste On Tue, Feb 25, 2014 at 4:56 PM, Amol wrote: > Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to redirect > my website to "http" > requirement : when a user types in http://.com he should not > be redirected to https://.com > currently it does that and some of the video links on our main page do not > work (basically vimeo has http links while our page is https so it throws a > security exception) > > at the same time we need users with http://.com/xyz to be > redirected to https://.com/xyz (this helps users login to > secure application) > > so under my current configurations i cannot get the first part to work, > basically (www..com works and stays http but when i type > http://.com it does a redirection to https) > > frontend http-in > bind xx.xx.xx.xx:80 name http > bind 10.xx.xx.xx:8000 name https # forwared by stunnel > > acl host_xx hdr_beg(host) -i xx.com > use_backend xx-http if host_xx > default_backend xx-https > > backend xx-http > balance roundrobin > cookie BALANCEID insert indirect nocache > option http-server-close > option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www > server xx-app1 xx.xx.xx.xx:80 cookie A check > server xx-app6 xx.xx.xx.xx:80 cookie B check backup > acl secure dst_port eq 8000 > acl login_page url_beg /xyz > redirect prefix https://xx.com if login_page !secure > > backend xx-https > mode http > balance roundrobin > cookie BALANCEID insert indirect nocache > option http-server-close > # option forwardfor except 127.0.0.1 > option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www > server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000 check > server xx-app6 xx.xx.xx.xx:80 cookie s2 weight 1 maxconn 5000 check > backup > > any suggestions? >
Re: Haproxy 1.4 url redirection issue
Hi Amol, There are a few improvement you can do. First update your frontend acl to: acl host_xx hdr(host) -i xx.com then in your backend, this ACL should never match: "acl login_page url_beg /xyz" replace url_beg by path_beg. Your problem is not there as well. I think your application server is sending hardcoded data or Location headers. analyzing the body of the pages and HAProxy logs may help here. Baptiste On Tue, Feb 25, 2014 at 4:56 PM, Amol wrote: > Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to redirect > my website to "http" > requirement : when a user types in http://.com he should not > be redirected to https://.com > currently it does that and some of the video links on our main page do not > work (basically vimeo has http links while our page is https so it throws a > security exception) > > at the same time we need users with http://.com/xyz to be > redirected to https://.com/xyz (this helps users login to > secure application) > > so under my current configurations i cannot get the first part to work, > basically (www..com works and stays http but when i type > http://.com it does a redirection to https) > > frontend http-in > bind xx.xx.xx.xx:80 name http > bind 10.xx.xx.xx:8000 name https # forwared by stunnel > > acl host_xx hdr_beg(host) -i xx.com > use_backend xx-http if host_xx > default_backend xx-https > > backend xx-http > balance roundrobin > cookie BALANCEID insert indirect nocache > option http-server-close > option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www > server xx-app1 xx.xx.xx.xx:80 cookie A check > server xx-app6 xx.xx.xx.xx:80 cookie B check backup > acl secure dst_port eq 8000 > acl login_page url_beg /xyz > redirect prefix https://xx.com if login_page !secure > > backend xx-https > mode http > balance roundrobin > cookie BALANCEID insert indirect nocache > option http-server-close ># option forwardfor except 127.0.0.1 > option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www > server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000 check > server xx-app6 xx.xx.xx.xx:80 cookie s2 weight 1 maxconn 5000 check > backup > > any suggestions? >
