Re: Is this possible in HAPROXY 1.4

2013-04-15 Thread haproxy 
Thanks Lukas, much appreciated. I'll play around some more.

---
posted at http://www.serverphorums.com
http://www.serverphorums.com/read.php?10,690173,690397#msg-690397

RE: Is this possible in HAPROXY 1.4

2013-04-14 Thread Lukas Tribus 
Hi Jon!


 I have played around with the haproxy configuration using 'redirect
 location https:// and redirect prefix https:// but without success.

And what exactly is the issue with that? Redirecting is a very basic
task haproxy can do without problems.


 On speaking to the vendor, they are aware of this issue, and for their
 own implementations they have used a physical F5 NLB and re-directed
 all http traffic over to https.

Redirecting from http to https is not a problem at all. If on the other
hand you need to enable SSL on the load-balance or use SSL enabled
backends, then you need haproxy 1.5 (which published as development
releases).


 Am I able to do this in HAPROXY 1.4?

Redirecting between URL schemes: yes, no problem.
Terminating SSL (https) on the load-balancer: not with haproxy 1.4,
you need haproxy 1.5 for that.


Regards,
Lukas

Re: Is this possible in HAPROXY 1.4

2013-04-14 Thread haproxy 
Hi Lucas,

Thanks for taking the time to respond.

It might help explain further how the environment is set-up.

The data flow goes:

User - Internet - Cloud Firewall - Cloud SLB - DMZ Web Agent -  - HAPROXY 
- Lifreray Application

The SSL termination is done at the Cloud SLB end, the traffic is then sent onto 
the Web Agent and then onto HAPROXY and then out to the application.

This mostly works fine, but for some of these functional elements,we get this 
problem,  when we click on some of the sub menu's in the application it fails 
to load, and the analyzer shows that the user is trying to access the resource 
using http instead of https. There is no SSL termination performed by HAPROXY, 
as the traffic is being passed via our SLB Cloud.
 
This is my current configuration:

global

log 127.0.0.1 local2

chroot  /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
userhaproxy
group   haproxy
daemon

stats socket /var/lib/haproxy/stats

defaults
modehttp
log global
option  httplog
option  dontlognull
option http-server-close
option forwardfor   except 127.0.0.0/8
option  redispatch
retries 3
timeout http-request10s
timeout queue   1m
timeout connect 10s
timeout client  1m
timeout server  1m
timeout http-keep-alive 10s
timeout check   10s
maxconn 3000

frontend http-openfire
bind *:7070
default_backend openfire

backend openfire
balance roundrobin
server   :7070 check
server   :7070 check

frontend http-uapi
bind *:7080
default_backend uapi

backend uapi
balance roundrobin
server   :7080 check
server   :7080 check

frontend http-sec
bind *:8080
default_backend sec

backend sec
 balance roundrobin
 server   :8080 check
 server   :8080 check

frontend http-wall
bind *:9080
default_backend wall

backend wall
balance roundrobin
server   :9080 check
server   :9080 check

frontend http-xmpp
bind *:9090
default_backend xmpp

backend xmpp
balance roundrobin
server   :9090 check
server   :9090 check

frontend http-aim
bind *:10080
default_backend aim

backend aim
balance roundrobin
server   :10080 check
server   :10080 check

frontend http-servicedesk
bind *:8081
default_backend servicedesk

backend servicedesk
 balance roundrobin
 server   :8081 check
 server   :8081 check

listen stats :1936
mode http
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth haproxy:

The bit that I am trying to work out concerns the 'backend servicedesk' and how 
I can make HAPROXY take the http request from the application and turn it into 
a https request, does this mean I have to install something like STUNNEL and 
the certificate on the HAPROXY Server in order for it to be https?.

What I tried was:

frontend unsecured *:80  
redirect location https:// - this is resolvable via a hosts file entry to 
the app1 server.

frontend  secured *:443  
   mode  http   
   default_backend  httpsapp

backend httpsapp  
mode  http  
balance roundrobin  
server  app1 :8081 check  
server  app2 :8081 check

But that doesnt seem to affect the outcome of the request.

I'm probably being stupid and not understanding what I need to cater for.

Thanks again.

Jon

---
posted at http://www.serverphorums.com
http://www.serverphorums.com/read.php?10,690173,690196#msg-690196

RE: Is this possible in HAPROXY 1.4

2013-04-14 Thread Lukas Tribus 
Hi!

 Cloud Firewall - Cloud SLB - DMZ Web Agent

Well, do they all forward TCP port 80 to your haproxy box? There is not
much haproxy can do if the http request even doesn't arrive.


Configuration would probably look like this (use redirect prefix, not
redirect location):

 frontend unsecured *:80
   redirect prefix https://www.example.org


Regards,
Lukas