Re: Haproxy 1.4 url redirection issue
Amol, The second log lines clearly shows that your application server is redirecting your user :) Baptiste On Thu, Mar 6, 2014 at 4:53 AM, Amol wrote: > so after looking at haproxy logs i noticed 2 things > > if i type www.xx.com there is 1 log entry > > haproxy[26387]: xx.11.11.118:62704 [05/Mar/2014:22:48:02.264] http-in > if-https/if1-app 10734/0/0/403/11137 200 10448 - - --VN 20/20/3/1/0 0/0 "GET > / HTTP/1.1" > > > but when i type xx.com i see 2 log entries, that means a url redirection is > taking place? > > haproxy[26387]: xx.11.11.118:62681 [05/Mar/2014:22:48:50.075] http-in > if-http/if1-app 15670/0/0/265/15935 301 342 - - --VN 17/17/0/1/0 0/0 "GET / > HTTP/1.1" > haproxy[26387]: xx.xx.xx.240:54320 [05/Mar/2014:22:48:51.271] http-in > if-https/if1-app 14872/0/1/417/15290 200 10448 - - --VN 18/18/1/1/0 0/0 "GET > / HTTP/1.1" > > > > some parts of my config file.. > > frontend http-in > bind :80 name http > bind :8000 name https # forwared by stunnel > acl host_xx hdr(host) -i xx.com > use_backend if-http if host_if > default_backend if-https > > backend if-http > > acl secure dst_port eq 8000 > acl login_page path_beg /exzact > > redirect prefix https://xx.com if login_page !secure > > > > > > On Wednesday, March 5, 2014 4:08 PM, Amol wrote: > Hi Neil, > I tried something similar, by putting the servername and setting > UseCanonicalName On... > but what i observe is that when i access my website with just xx.com in the > browser, it directs to https://www.xx.com > but if i start fresh and access my website with www.xx.com and the next > subsequent requests with xx.com always go to www.xx.com > > any clue? > > here is the apache default.conf > > ServerAdmin webmaster@localhost > ServerName www.xxx.com > > DocumentRoot /var/www > > Options FollowSymLinks > AllowOverride All > > > setenv HTTPS on > Options FollowSymLinks MultiViews > AllowOverride All > Order allow,deny > allow from all > > > ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ > > AllowOverride None > Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch > Order allow,deny > Allow from all > > > ErrorLog /var/log/apache2/error.log > > # Possible values include: debug, info, notice, warn, error, crit, > # alert, emerg. > LogLevel warn > ServerSignature Off > UseCanonicalName On > > SetEnvIf Request_URI "^/check\.txt$" dontlog > CustomLog /var/log/apache2/access.log combined env=!dontlog > > Alias /doc/ "/usr/share/doc/" > > Options MultiViews FollowSymLinks > AllowOverride None > Order deny,allow > Deny from all > Allow from 127.0.0.0/255.0.0.0 ::1/128 > > > > > > > > On Monday, March 3, 2014 5:16 AM, Neil - HAProxy List > wrote: > Hello Amol > > Here is an example of the sort of thing I use > > The 3 important things for are > ServerName https://servicename.domain.com:443 > SetEnv HTTPS on > UseCanonicalName On > > > > ServerName https://servicename.domain.com:443 > > ## Vhost docroot > DocumentRoot /var/www/ > > ## Directories, there should at least be a declaration for /var/www > > > Options Indexes ExecCGI > AllowOverride None > Order allow,deny > Allow from all > > > ## Logging > LogLevel warn > ServerSignature Off > > > ## Custom fragment > This tricks PHP into believing the script was accessed over SSL > SetEnv HTTPS on > > DirectoryIndex index.php > UseCanonicalName On > > ErrorLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_error.log > /var/log/apache2/%Y/servicename_error-%Y%m%d.log" > > LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" > direct > LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" > \"%{User-Agent}i\"" proxied > SetEnvIf Remote_Addr "^" direct # make it always set > SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" !direct > SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" proxied > SetEnvIf Request_URI "^/healthcheck$" !direct > > # keep these SetEnvIf Request_URI "^/healthcheck$" !proxied > CustomLog "|/usr/bin/cronolog --link > /var/log/apache2/servicename_directaccess > /var/log/apache2/%Y/servicename_directaccess-%Y%m%d.log" direct env=direct > CustomLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_access > /var/log/apache2/%Y/servicename_access-%Y%m%d.log" proxied env=proxied > > > > I like to log traffic from the loadbal separately to traffic from the public > and I ignore /healthcheck from the loadbal but not from others. You'll need > to tell haproxy to "option forwardfor". Also using cronolog. > > Neil > > > On 1 March 2014 15:27, Baptiste wrote: > > Hi > > More chance to get an answer from Apache 2.2 and wordpress people... > > Baptiste > > On Fri, Feb 28, 2014 at 4:12 PM, Amol wrote: >> well
Re: Haproxy 1.4 url redirection issue
so after looking at haproxy logs i noticed 2 things if i type www.xx.com there is 1 log entry haproxy[26387]: xx.11.11.118:62704 [05/Mar/2014:22:48:02.264] http-in if-https/if1-app 10734/0/0/403/11137 200 10448 - - --VN 20/20/3/1/0 0/0 "GET / HTTP/1.1" but when i type xx.com i see 2 log entries, that means a url redirection is taking place? haproxy[26387]: xx.11.11.118:62681 [05/Mar/2014:22:48:50.075] http-in if-http/if1-app 15670/0/0/265/15935 301 342 - - --VN 17/17/0/1/0 0/0 "GET / HTTP/1.1" haproxy[26387]: xx.xx.xx.240:54320 [05/Mar/2014:22:48:51.271] http-in if-https/if1-app 14872/0/1/417/15290 200 10448 - - --VN 18/18/1/1/0 0/0 "GET / HTTP/1.1" some parts of my config file.. frontend http-in bind :80 name http bind :8000 name https # forwared by stunnel acl host_xx hdr(host) -i xx.com use_backend if-http if host_if default_backend if-https backend if-http acl secure dst_port eq 8000 acl login_page path_beg /exzact redirect prefix https://xx.com if login_page !secure On Wednesday, March 5, 2014 4:08 PM, Amol wrote: Hi Neil, I tried something similar, by putting the servername and setting UseCanonicalName On... but what i observe is that when i access my website with just xx.com in the browser, it directs to https://www.xx.com but if i start fresh and access my website with www.xx.com and the next subsequent requests with xx.com always go to www.xx.com any clue? here is the apache default.conf ServerAdmin webmaster@localhost ServerName www.xxx.com DocumentRoot /var/www Options FollowSymLinks AllowOverride All setenv HTTPS on Options FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn ServerSignature Off UseCanonicalName On SetEnvIf Request_URI "^/check\.txt$" dontlog CustomLog /var/log/apache2/access.log combined env=!dontlog Alias /doc/ "/usr/share/doc/" Options MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 On Monday, March 3, 2014 5:16 AM, Neil - HAProxy List wrote: Hello Amol Here is an example of the sort of thing I use The 3 important things for are ServerName https://servicename.domain.com:443 SetEnv HTTPS on UseCanonicalName On ServerName https://servicename.domain.com:443 ## Vhost docroot DocumentRoot /var/www/ ## Directories, there should at least be a declaration for /var/www Options Indexes ExecCGI AllowOverride None Order allow,deny Allow from all ## Logging LogLevel warn ServerSignature Off ## Custom fragment This tricks PHP into believing the script was accessed over SSL SetEnv HTTPS on DirectoryIndex index.php UseCanonicalName On ErrorLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_error.log /var/log/apache2/%Y/servicename_error-%Y%m%d.log" LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" direct LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxied SetEnvIf Remote_Addr "^" direct # make it always set SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" !direct SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" proxied SetEnvIf Request_URI "^/healthcheck$" !direct # keep these SetEnvIf Request_URI "^/healthcheck$" !proxied CustomLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_directaccess /var/log/apache2/%Y/servicename_directaccess-%Y%m%d.log" direct env=direct CustomLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_access /var/log/apache2/%Y/servicename_access-%Y%m%d.log" proxied env=proxied I like to log traffic from the loadbal separately to traffic from the public and I ignore /healthcheck from the loadbal but not from others. You'll need to tell haproxy to "option forwardfor". Also using cronolog. Neil On 1 March 2014 15:27, Baptiste wrote: Hi > >More chance to get an answer from Apache 2.2 and wordpress people... > >Baptiste > > >On Fri, Feb 28, 2014 at 4:12 PM, Amol wrote: >> well the application behind haproxy in this case is wordpress on apache2.2, >> any settings there? >> >> >> >> >> On Friday, February 28, 2014 4:57 AM, Baptiste wrote: >> It may not fix the issue. >> But at least the configuration will do what you expect from it... >> >> That said, the issue may be in the application too :) >> It is commonly seen that applications don't behave properly when SSL >> offloading is en
Re: Haproxy 1.4 url redirection issue
Hi Neil, I tried something similar, by putting the servername and setting UseCanonicalName On... but what i observe is that when i access my website with just xx.com in the browser, it directs to https://www.xx.com but if i start fresh and access my website with www.xx.com and the next subsequent requests with xx.com always go to www.xx.com any clue? here is the apache default.conf ServerAdmin webmaster@localhost ServerName www.xxx.com DocumentRoot /var/www Options FollowSymLinks AllowOverride All setenv HTTPS on Options FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn ServerSignature Off UseCanonicalName On SetEnvIf Request_URI "^/check\.txt$" dontlog CustomLog /var/log/apache2/access.log combined env=!dontlog Alias /doc/ "/usr/share/doc/" Options MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 On Monday, March 3, 2014 5:16 AM, Neil - HAProxy List wrote: Hello Amol Here is an example of the sort of thing I use The 3 important things for are ServerName https://servicename.domain.com:443 SetEnv HTTPS on UseCanonicalName On ServerName https://servicename.domain.com:443 ## Vhost docroot DocumentRoot /var/www/ ## Directories, there should at least be a declaration for /var/www Options Indexes ExecCGI AllowOverride None Order allow,deny Allow from all ## Logging LogLevel warn ServerSignature Off ## Custom fragment This tricks PHP into believing the script was accessed over SSL SetEnv HTTPS on DirectoryIndex index.php UseCanonicalName On ErrorLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_error.log /var/log/apache2/%Y/servicename_error-%Y%m%d.log" LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" direct LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxied SetEnvIf Remote_Addr "^" direct # make it always set SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" !direct SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" proxied SetEnvIf Request_URI "^/healthcheck$" !direct # keep these SetEnvIf Request_URI "^/healthcheck$" !proxied CustomLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_directaccess /var/log/apache2/%Y/servicename_directaccess-%Y%m%d.log" direct env=direct CustomLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_access /var/log/apache2/%Y/servicename_access-%Y%m%d.log" proxied env=proxied I like to log traffic from the loadbal separately to traffic from the public and I ignore /healthcheck from the loadbal but not from others. You'll need to tell haproxy to "option forwardfor". Also using cronolog. Neil On 1 March 2014 15:27, Baptiste wrote: Hi > >More chance to get an answer from Apache 2.2 and wordpress people... > >Baptiste > > >On Fri, Feb 28, 2014 at 4:12 PM, Amol wrote: >> well the application behind haproxy in this case is wordpress on apache2.2, >> any settings there? >> >> >> >> >> On Friday, February 28, 2014 4:57 AM, Baptiste wrote: >> It may not fix the issue. >> But at least the configuration will do what you expect from it... >> >> That said, the issue may be in the application too :) >> It is commonly seen that applications don't behave properly when SSL >> offloading is enabled in front of them. >> >> Baptiste >> >> >> On Thu, Feb 27, 2014 at 4:16 PM, Amol wrote: >>> Thanks Baptiste, let me give that a try >>> >>> >>> >>> On Thursday, February 27, 2014 9:37 AM, Baptiste wrote: >>> Hi Amol, >>> >>> There are a few improvement you can do. >>> First update your frontend acl to: >>> acl host_xx hdr(host) -i xx.com >>> >>> then in your backend, this ACL should never match: "acl login_page >>> url_beg /xyz" >>> replace url_beg by path_beg. >>> >>> Your problem is not there as well. >>> I think your application server is sending hardcoded data or Location >>> headers. >>> analyzing the body of the pages and HAProxy logs may help here. >>> >>> Baptiste >>> >>> >>> >>> On Tue, Feb 25, 2014 at 4:56 PM, Amol wrote: Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to redirect my website to "http" requirement : when a user types in http://.com he should not be redirected to https://.com currently it does that and some of the video links on our main page do not work (basically vimeo has http links while our page is https so it t
Re: Haproxy 1.4 url redirection issue
Hello Amol Here is an example of the sort of thing I use The 3 important things for are ServerName https://servicename.domain.com:443 SetEnv HTTPS on UseCanonicalName On ServerName https://servicename.domain.com:443 ## Vhost docroot DocumentRoot /var/www/ ## Directories, there should at least be a declaration for /var/www Options Indexes ExecCGI AllowOverride None Order allow,deny Allow from all ## Logging LogLevel warn ServerSignature Off ## Custom fragment This tricks PHP into believing the script was accessed over SSL SetEnv HTTPS on DirectoryIndex index.php UseCanonicalName On ErrorLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_error.log /var/log/apache2/%Y/servicename_error-%Y%m%d.log" LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" direct LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxied SetEnvIf Remote_Addr "^" direct # make it always set SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" !direct SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" proxied SetEnvIf Request_URI "^/healthcheck$" !direct # keep these SetEnvIf Request_URI "^/healthcheck$" !proxied CustomLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_directaccess /var/log/apache2/%Y/servicename_directaccess-%Y%m%d.log" direct env=direct CustomLog "|/usr/bin/cronolog --link /var/log/apache2/servicename_access /var/log/apache2/%Y/servicename_access-%Y%m%d.log" proxied env=proxied I like to log traffic from the loadbal separately to traffic from the public and I ignore /healthcheck from the loadbal but not from others. You'll need to tell haproxy to "option forwardfor". Also using cronolog. Neil On 1 March 2014 15:27, Baptiste wrote: > Hi > > More chance to get an answer from Apache 2.2 and wordpress people... > > Baptiste > > On Fri, Feb 28, 2014 at 4:12 PM, Amol wrote: > > well the application behind haproxy in this case is wordpress on > apache2.2, > > any settings there? > > > > > > > > > > On Friday, February 28, 2014 4:57 AM, Baptiste wrote: > > It may not fix the issue. > > But at least the configuration will do what you expect from it... > > > > That said, the issue may be in the application too :) > > It is commonly seen that applications don't behave properly when SSL > > offloading is enabled in front of them. > > > > Baptiste > > > > > > On Thu, Feb 27, 2014 at 4:16 PM, Amol wrote: > >> Thanks Baptiste, let me give that a try > >> > >> > >> > >> On Thursday, February 27, 2014 9:37 AM, Baptiste > wrote: > >> Hi Amol, > >> > >> There are a few improvement you can do. > >> First update your frontend acl to: > >> acl host_xx hdr(host) -i xx.com > >> > >> then in your backend, this ACL should never match: "acl login_page > >> url_beg /xyz" > >> replace url_beg by path_beg. > >> > >> Your problem is not there as well. > >> I think your application server is sending hardcoded data or Location > >> headers. > >> analyzing the body of the pages and HAProxy logs may help here. > >> > >> Baptiste > >> > >> > >> > >> On Tue, Feb 25, 2014 at 4:56 PM, Amol wrote: > >>> Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to > >>> redirect > >>> my website to "http" > >>> requirement : when a user types in http://.com he should > >>> not > >>> be redirected to https://.com > >>> currently it does that and some of the video links on our main page do > >>> not > >>> work (basically vimeo has http links while our page is https so it > throws > >>> a > >>> security exception) > >>> > >>> at the same time we need users with http://.com/xyz to > be > >>> redirected to https://.com/xyz (this helps users login > to > >>> secure application) > >>> > >>> so under my current configurations i cannot get the first part to work, > >>> basically (www..com works and stays http but when i type > >>> http://.com it does a redirection to https) > >>> > >>> frontend http-in > >>>bind xx.xx.xx.xx:80 name http > >>>bind 10.xx.xx.xx:8000 name https # forwared by stunnel > >>> > >>>acl host_xx hdr_beg(host) -i xx.com > >>>use_backend xx-http if host_xx > >>>default_backend xx-https > >>> > >>> backend xx-http > >>>balance roundrobin > >>>cookie BALANCEID insert indirect nocache > >>>option http-server-close > >>>option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www > >>>server xx-app1 xx.xx.xx.xx:80 cookie A check > >>>server xx-app6 xx.xx.xx.xx:80 cookie B check backup > >>>acl secure dst_port eq 8000 > >>>acl login_page url_beg /xyz > >>>redirect prefix https://xx.com if login_page !secure > >>> > >>> backend xx-https > >>>mode http > >>>balance roundrobin > >>>cookie BALANCEID insert indirect nocache > >>>option http-server-close > >>># option forwardfor except 127.0.0.1 > >>>option httpchk OPTIONS /check.
Re: Haproxy 1.4 url redirection issue
Hi More chance to get an answer from Apache 2.2 and wordpress people... Baptiste On Fri, Feb 28, 2014 at 4:12 PM, Amol wrote: > well the application behind haproxy in this case is wordpress on apache2.2, > any settings there? > > > > > On Friday, February 28, 2014 4:57 AM, Baptiste wrote: > It may not fix the issue. > But at least the configuration will do what you expect from it... > > That said, the issue may be in the application too :) > It is commonly seen that applications don't behave properly when SSL > offloading is enabled in front of them. > > Baptiste > > > On Thu, Feb 27, 2014 at 4:16 PM, Amol wrote: >> Thanks Baptiste, let me give that a try >> >> >> >> On Thursday, February 27, 2014 9:37 AM, Baptiste wrote: >> Hi Amol, >> >> There are a few improvement you can do. >> First update your frontend acl to: >> acl host_xx hdr(host) -i xx.com >> >> then in your backend, this ACL should never match: "acl login_page >> url_beg /xyz" >> replace url_beg by path_beg. >> >> Your problem is not there as well. >> I think your application server is sending hardcoded data or Location >> headers. >> analyzing the body of the pages and HAProxy logs may help here. >> >> Baptiste >> >> >> >> On Tue, Feb 25, 2014 at 4:56 PM, Amol wrote: >>> Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to >>> redirect >>> my website to "http" >>> requirement : when a user types in http://.com he should >>> not >>> be redirected to https://.com >>> currently it does that and some of the video links on our main page do >>> not >>> work (basically vimeo has http links while our page is https so it throws >>> a >>> security exception) >>> >>> at the same time we need users with http://.com/xyz to be >>> redirected to https://.com/xyz (this helps users login to >>> secure application) >>> >>> so under my current configurations i cannot get the first part to work, >>> basically (www..com works and stays http but when i type >>> http://.com it does a redirection to https) >>> >>> frontend http-in >>>bind xx.xx.xx.xx:80 name http >>>bind 10.xx.xx.xx:8000 name https # forwared by stunnel >>> >>>acl host_xx hdr_beg(host) -i xx.com >>>use_backend xx-http if host_xx >>>default_backend xx-https >>> >>> backend xx-http >>>balance roundrobin >>>cookie BALANCEID insert indirect nocache >>>option http-server-close >>>option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >>>server xx-app1 xx.xx.xx.xx:80 cookie A check >>>server xx-app6 xx.xx.xx.xx:80 cookie B check backup >>>acl secure dst_port eq 8000 >>>acl login_page url_beg /xyz >>>redirect prefix https://xx.com if login_page !secure >>> >>> backend xx-https >>>mode http >>>balance roundrobin >>>cookie BALANCEID insert indirect nocache >>>option http-server-close >>># option forwardfor except 127.0.0.1 >>>option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >>>server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000 >>> check >>>server xx-app6 xx.xx.xx.xx:80 cookie s2 weight 1 maxconn 5000 >>> check >>> backup >>> >>> any suggestions? >>> >> >> >> > > >
Re: Haproxy 1.4 url redirection issue
well the application behind haproxy in this case is wordpress on apache2.2, any settings there? On Friday, February 28, 2014 4:57 AM, Baptiste wrote: It may not fix the issue. But at least the configuration will do what you expect from it... That said, the issue may be in the application too :) It is commonly seen that applications don't behave properly when SSL offloading is enabled in front of them. Baptiste On Thu, Feb 27, 2014 at 4:16 PM, Amol wrote: > Thanks Baptiste, let me give that a try > > > > On Thursday, February 27, 2014 9:37 AM, Baptiste wrote: > Hi Amol, > > There are a few improvement you can do. > First update your frontend acl to: > acl host_xx hdr(host) -i xx.com > > then in your backend, this ACL should never match: "acl login_page > url_beg /xyz" > replace url_beg by path_beg. > > Your problem is not there as well. > I think your application server is sending hardcoded data or Location > headers. > analyzing the body of the pages and HAProxy logs may help here. > > Baptiste > > > > On Tue, Feb 25, 2014 at 4:56 PM, Amol wrote: >> Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to >> redirect >> my website to "http" >> requirement : when a user types in http://.com he should not >> be redirected to https://.com >> currently it does that and some of the video links on our main page do not >> work (basically vimeo has http links while our page is https so it throws >> a >> security exception) >> >> at the same time we need users with http://.com/xyz to be >> redirected to https://.com/xyz (this helps users login to >> secure application) >> >> so under my current configurations i cannot get the first part to work, >> basically (www..com works and stays http but when i type >> http://.com it does a redirection to https) >> >> frontend http-in >> bind xx.xx.xx.xx:80 name http >> bind 10.xx.xx.xx:8000 name https # forwared by stunnel >> >> acl host_xx hdr_beg(host) -i xx.com >> use_backend xx-http if host_xx >> default_backend xx-https >> >> backend xx-http >> balance roundrobin >> cookie BALANCEID insert indirect nocache >> option http-server-close >> option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >> server xx-app1 xx.xx.xx.xx:80 cookie A check >> server xx-app6 xx.xx.xx.xx:80 cookie B check backup >> acl secure dst_port eq 8000 >> acl login_page url_beg /xyz >> redirect prefix https://xx.com if login_page !secure >> >> backend xx-https >> mode http >> balance roundrobin >> cookie BALANCEID insert indirect nocache >> option http-server-close >> # option forwardfor except 127.0.0.1 >> option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >> server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000 check >> server xx-app6 xx.xx.xx.xx:80 cookie s2 weight 1 maxconn 5000 check >> backup >> >> any suggestions? >> > > >
Re: Haproxy 1.4 url redirection issue
could it also be due to the apache settings on the application server where i have "setenv HTTPS on" ? here is a snippet from my apache2 default.conf file ServerAdmin webmaster@localhost DocumentRoot /var/www Options FollowSymLinks AllowOverride All setenv HTTPS on Options FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all On Friday, February 28, 2014 4:55 AM, Baptiste wrote: It may not fix the issue. But at least the configuration will do what you expect from it... That said, the issue may be in the application too :) It is commonly seen that applications don't behave properly when SSL offloading is enabled in front of them. Baptiste On Thu, Feb 27, 2014 at 4:16 PM, Amol wrote: > Thanks Baptiste, let me give that a try > > > > On Thursday, February 27, 2014 9:37 AM, Baptiste wrote: > Hi Amol, > > There are a few improvement you can do. > First update your frontend acl to: > acl host_xx hdr(host) -i xx.com > > then in your backend, this ACL should never match: "acl login_page > url_beg /xyz" > replace url_beg by path_beg. > > Your problem is not there as well. > I think your application server is sending hardcoded data or Location > headers. > analyzing the body of the pages and HAProxy logs may help here. > > Baptiste > > > > On Tue, Feb 25, 2014 at 4:56 PM, Amol wrote: >> Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to >> redirect >> my website to "http" >> requirement : when a user types in http://.com he should not >> be redirected to https://.com >> currently it does that and some of the video links on our main page do not >> work (basically vimeo has http links while our page is https so it throws >> a >> security exception) >> >> at the same time we need users with http://.com/xyz to be >> redirected to https://.com/xyz (this helps users login to >> secure application) >> >> so under my current configurations i cannot get the first part to work, >> basically (www..com works and stays http but when i type >> http://.com it does a redirection to https) >> >> frontend http-in >> bind xx.xx.xx.xx:80 name http >> bind 10.xx.xx.xx:8000 name https # forwared by stunnel >> >> acl host_xx hdr_beg(host) -i xx.com >> use_backend xx-http if host_xx >> default_backend xx-https >> >> backend xx-http >> balance roundrobin >> cookie BALANCEID insert indirect nocache >> option http-server-close >> option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >> server xx-app1 xx.xx.xx.xx:80 cookie A check >> server xx-app6 xx.xx.xx.xx:80 cookie B check backup >> acl secure dst_port eq 8000 >> acl login_page url_beg /xyz >> redirect prefix https://xx.com if login_page !secure >> >> backend xx-https >> mode http >> balance roundrobin >> cookie BALANCEID insert indirect nocache >> option http-server-close >> # option forwardfor except 127.0.0.1 >> option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >> server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000 check >> server xx-app6 xx.xx.xx.xx:80 cookie s2 weight 1 maxconn 5000 check >> backup >> >> any suggestions? >> > > >
Re: Haproxy 1.4 url redirection issue
It may not fix the issue. But at least the configuration will do what you expect from it... That said, the issue may be in the application too :) It is commonly seen that applications don't behave properly when SSL offloading is enabled in front of them. Baptiste On Thu, Feb 27, 2014 at 4:16 PM, Amol wrote: > Thanks Baptiste, let me give that a try > > > > On Thursday, February 27, 2014 9:37 AM, Baptiste wrote: > Hi Amol, > > There are a few improvement you can do. > First update your frontend acl to: > acl host_xx hdr(host) -i xx.com > > then in your backend, this ACL should never match: "acl login_page > url_beg /xyz" > replace url_beg by path_beg. > > Your problem is not there as well. > I think your application server is sending hardcoded data or Location > headers. > analyzing the body of the pages and HAProxy logs may help here. > > Baptiste > > > > On Tue, Feb 25, 2014 at 4:56 PM, Amol wrote: >> Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to >> redirect >> my website to "http" >> requirement : when a user types in http://.com he should not >> be redirected to https://.com >> currently it does that and some of the video links on our main page do not >> work (basically vimeo has http links while our page is https so it throws >> a >> security exception) >> >> at the same time we need users with http://.com/xyz to be >> redirected to https://.com/xyz (this helps users login to >> secure application) >> >> so under my current configurations i cannot get the first part to work, >> basically (www..com works and stays http but when i type >> http://.com it does a redirection to https) >> >> frontend http-in >>bind xx.xx.xx.xx:80 name http >>bind 10.xx.xx.xx:8000 name https # forwared by stunnel >> >>acl host_xx hdr_beg(host) -i xx.com >>use_backend xx-http if host_xx >>default_backend xx-https >> >> backend xx-http >>balance roundrobin >>cookie BALANCEID insert indirect nocache >>option http-server-close >>option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >>server xx-app1 xx.xx.xx.xx:80 cookie A check >>server xx-app6 xx.xx.xx.xx:80 cookie B check backup >>acl secure dst_port eq 8000 >>acl login_page url_beg /xyz >>redirect prefix https://xx.com if login_page !secure >> >> backend xx-https >>mode http >>balance roundrobin >>cookie BALANCEID insert indirect nocache >>option http-server-close >># option forwardfor except 127.0.0.1 >>option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www >>server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000 check >>server xx-app6 xx.xx.xx.xx:80 cookie s2 weight 1 maxconn 5000 check >> backup >> >> any suggestions? >> > > >
Re: Haproxy 1.4 url redirection issue
Thanks Baptiste, let me give that a try On Thursday, February 27, 2014 9:37 AM, Baptiste wrote: Hi Amol, There are a few improvement you can do. First update your frontend acl to: acl host_xx hdr(host) -i xx.com then in your backend, this ACL should never match: "acl login_page url_beg /xyz" replace url_beg by path_beg. Your problem is not there as well. I think your application server is sending hardcoded data or Location headers. analyzing the body of the pages and HAProxy logs may help here. Baptiste On Tue, Feb 25, 2014 at 4:56 PM, Amol wrote: > Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to redirect > my website to "http" > requirement : when a user types in http://.com he should not > be redirected to https://.com > currently it does that and some of the video links on our main page do not > work (basically vimeo has http links while our page is https so it throws a > security exception) > > at the same time we need users with http://.com/xyz to be > redirected to https://.com/xyz (this helps users login to > secure application) > > so under my current configurations i cannot get the first part to work, > basically (www..com works and stays http but when i type > http://.com it does a redirection to https) > > frontend http-in > bind xx.xx.xx.xx:80 name http > bind 10.xx.xx.xx:8000 name https # forwared by stunnel > > acl host_xx hdr_beg(host) -i xx.com > use_backend xx-http if host_xx > default_backend xx-https > > backend xx-http > balance roundrobin > cookie BALANCEID insert indirect nocache > option http-server-close > option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www > server xx-app1 xx.xx.xx.xx:80 cookie A check > server xx-app6 xx.xx.xx.xx:80 cookie B check backup > acl secure dst_port eq 8000 > acl login_page url_beg /xyz > redirect prefix https://xx.com if login_page !secure > > backend xx-https > mode http > balance roundrobin > cookie BALANCEID insert indirect nocache > option http-server-close > # option forwardfor except 127.0.0.1 > option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www > server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000 check > server xx-app6 xx.xx.xx.xx:80 cookie s2 weight 1 maxconn 5000 check > backup > > any suggestions? >
Re: Haproxy 1.4 url redirection issue
Hi Amol, There are a few improvement you can do. First update your frontend acl to: acl host_xx hdr(host) -i xx.com then in your backend, this ACL should never match: "acl login_page url_beg /xyz" replace url_beg by path_beg. Your problem is not there as well. I think your application server is sending hardcoded data or Location headers. analyzing the body of the pages and HAProxy logs may help here. Baptiste On Tue, Feb 25, 2014 at 4:56 PM, Amol wrote: > Hi i am using HA-Proxy version 1.4.12 and i have an issue trying to redirect > my website to "http" > requirement : when a user types in http://.com he should not > be redirected to https://.com > currently it does that and some of the video links on our main page do not > work (basically vimeo has http links while our page is https so it throws a > security exception) > > at the same time we need users with http://.com/xyz to be > redirected to https://.com/xyz (this helps users login to > secure application) > > so under my current configurations i cannot get the first part to work, > basically (www..com works and stays http but when i type > http://.com it does a redirection to https) > > frontend http-in > bind xx.xx.xx.xx:80 name http > bind 10.xx.xx.xx:8000 name https # forwared by stunnel > > acl host_xx hdr_beg(host) -i xx.com > use_backend xx-http if host_xx > default_backend xx-https > > backend xx-http > balance roundrobin > cookie BALANCEID insert indirect nocache > option http-server-close > option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www > server xx-app1 xx.xx.xx.xx:80 cookie A check > server xx-app6 xx.xx.xx.xx:80 cookie B check backup > acl secure dst_port eq 8000 > acl login_page url_beg /xyz > redirect prefix https://xx.com if login_page !secure > > backend xx-https > mode http > balance roundrobin > cookie BALANCEID insert indirect nocache > option http-server-close ># option forwardfor except 127.0.0.1 > option httpchk OPTIONS /check.txt HTTP/1.1\r\nHost:\ www > server xx-app1 xx.xx.xx.xx:80 cookie s1 weight 1 maxconn 5000 check > server xx-app6 xx.xx.xx.xx:80 cookie s2 weight 1 maxconn 5000 check > backup > > any suggestions? >