My Configurations are:-
frontend http-8081
bind *:8081
mode http
acl is_keycloak hdr(X-TARGET) keycloak
use_backend keycloak if is_keycloak
backend keycloak
mode http
balance roundrobin
option forwardfor
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server 192.168.99.100:32768 192.168.99.101:32766 check inter 5000
I am new to this and I need a Sticky session. Can anyone tell me using this configuration that how to create a Sticky session?
I believe using cookies will help you here.
I would also say have your servers on seperate lines for each one
cookie SERVERID insert
server s1 192.168.99.100:32768 check inter 5000 check cookie s1
server s2 192.168.99.101:32766 check inter 5000 check cookie s2
Related
I have a condition where I need to pass whatever path is given in the frontend url to a backend redirect statement. E.g. Frontend https://example.com/abc/xyz to backend http://server-address:port/abc/xyz. I am using http redirect in the backend as of now. But now it has been requested to pass any path along with the frontend URL, to be appended to backend as well. I cannot use redirect on frontend as I need to use port 443 which is being used by other service. So I am use acl_path to point to a different backend, so I need to achieve this using backend itself. My frontend config is below-
frontend a
bind 10.10.10.10:443 ssl crt /etc/pki/org/key/somekey.key force-tlsv12 ciphers SOME-CIPHER
mode http
acl a_dev_app hdr_dom(host) -m beg a.dev.app.
acl b_dev_app hdr_dom(host) -m beg b.dev.app.
option http-server-close
use_backend a if a_dev_app
use_backend b if b_dev_app
Backend config-
backend b
balance roundrobin
cookie a-web-backend insert indirect nocache
http-request redirect location http://server-url:8081/b
mode http
option httpchk /b
server a-web-d01 http://server-url:8081 check maxconn 150 cookie a-web-d01
I am trying to implement sticky sessions. I have found out that I can add a prefix to the exiting cookies servers to identify them. See here for more
backend bk_web
balance roundrobin
cookie JSESSIONID prefix nocache
server s1 192.168.10.11:80 check cookie s1
server s2 192.168.10.21:80 check cookie s2
My problem is that I do not have distinct servers which I could hard code the cookie names for. Such as s1 and s2.
backend java_container
balance roundrobin
cookie JSESSIONID prefix nocache
server-template worker- 6 worker:8080 check resolvers docker init-addr libc,none
I know the server will be named later worker-1, worker-2 etc but I can't figure out how to give this dynamic info as cookie name. Ideally it would be something like
server-template worker- 6 worker:8080 check resolvers docker init-addr libc,none cookie worker
I tried munging the snippets together and it actually worked.
backend java_container
balance leastconn
dynamic-cookie-key MYKEY
cookie JSESSIONID prefix dynamic nocache
server-template worker- 6 worker:8080 check resolvers docker init-addr libc,none
Cookie looks like this now where the first part the hashed server IP.
JSESSIONID: 8a90ee411f256174~602EE52C3C605D45070366D4009EED56
https://www.haproxy.com/blog/whats-new-haproxy-1-8/#dynamic-cookies
You are looking for the dynamic option as part of the cookie directive. You will also want to look into dynamic-cookie-key.
I have an HAProxy configured to accept requests to *.mysubdomain.com. The HAProxy will parse the subdomain (prod or dev from prod.mysubdomain.com or dev.mysubdomain.com) and forward to the correct backend. Two backends exist, one for prod and one for dev. Each backend contains two server entries pointing towards Marathon LB instances on each subdomain.
The subdomains require a JWT cookie for authentication on the backend. I have the public key to check the validity of the JWT, but would like to do so in the HAProxy. Is there a way to add my own code to perform the JWT validity check within the HAProxy configuration?
The HAProxy configuration file is as follows:
global
maxconn 256
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in
bind *:80
mode http
# Returns true when one of the headers contains one of the strings either isolated or delimited by dots. This is used to perform domain name matching.
acl host_dev hdr_dom(host) -i dev
acl host_prod hdr_dom(host) -i prod
acl jwtPresent req.cook(JWT) -m found
use_backend prod_domain if jwtPresent host_prod
use_backend dev_domain if jwtPresent host_dev
default_backend prod_domain
backend prod_domain
balance roundrobin
server prodDomain1 "${MARATHON_LB_PROD_1}" maxconn 32 check
server prodDomain2 "${MARATHON_LB_PROD_2}" maxconn 32 check
backend dev_domain
balance roundrobin
server devDomain1 "${MARATHON_LB_DEV_1}" maxconn 32 check
server devDomain2 "${MARATHON_LB_DEV_2}" maxconn 32 check
HAProxy can act as an API gateway and validate JWT tokens against a public key. They have written a blog post and provided sample code to show you how.
The post is here: https://www.haproxy.com/blog/using-haproxy-as-an-api-gateway-part-2-authentication/
The sample lua code is here: https://github.com/haproxytech/haproxy-lua-jwt
As the other answer pointed out, you have to use Lua script. You can use existing implementations from lua-resty-jwt or Kong.
Notes:
Those code-bases are not concise. A simple copy & paste won't work. So you have to extract the bare minimum you need.
You can't have dependencies in your Lua script. Only plain vanilla Lua. So you have to get rid of all require statements.
The tricky part is the HMAC implementation.
Avoid any I/O operation in your Lua script, e.g. file, database, network operations.
It's not an easy undertaking. Good luck! It's something worth sharing.
As far as I could tell, HAProxy does not have the functionality to perform the logic for validating the JWT. Instead, I implemented a script in Lua for haproxy.cfg to call to perform the validation:
global
maxconn 256
lua-load /choose_backend.lua
defaults
mode http
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in
bind *:80
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-var(txn.backend_name) lua.backend_select()
use_backend %[var(txn.backend_name)]
backend prod_domain
balance roundrobin
server prodDomain1 "${MARATHON_LB_PROD_1}" maxconn 32 check
server prodDomain2 "${MARATHON_LB_PROD_2}" maxconn 32 check
backend dev_domain
balance roundrobin
server devDomain1 "${MARATHON_LB_DEV_1}" maxconn 32 check
server devDomain2 "${MARATHON_LB_DEV_2}" maxconn 32 check
Content on both servers are located in http://localhost:88/web/portal
I have configured haproxy with the following config block
listen webfarm 0.0.0.0:8080
mode http
stats enable
stats uri /haproxy?stats
balance roundrobin
option httpclose
option forwardfor
server webserver01 192.168.1.10:88 check
server webserver02 192.168.1.20:88 check
How would I get haproxy to redirect further into directories? I was trying to do redirects locally via apache but all I am getting is loops.
This is untested but something like this may be what you are looking for:
frontend my_frontend
mode http
bind *:8080
stats enable
stats uri /haproxy?stats
default_backend my_backend
backend my_backend
balance roundrobin
option httpclose
option forwardfor
reqrep ^(.*) /web/portal\1
server webserver01 192.168.1.10:88 check
server webserver02 192.168.1.20:88 check
The key change is the reqrep line which takes in the requested uri and prepends /web/portal to it (at least it should).
Sorry it is not in the same format as your example but I just copied it from some of my config and changed it. Let me know if that works for your situation.
as mentioned in the title, i've set an Haproxy loadbalancer with a basic configuration, what i'd like to do is to always redirect request to the first server if the hostname matches x.domaine.com, but keep the balancing for domaine.com, is it possible with Haproxy, and if so how can i do it.
her's my configuration
listen webcluster *:80
mode http
balance roundrobin
option httpchk HEAD / HTTP/1.0
option forwardfor
cookie LSW_WEB insert
option httpclose
server bigSRV 192.168.1.10:8082 cookie LSW_WEB01 check
server miniSRV 192.168.2.10:8082 cookie LSW_WEB01 check
thanks in advence
after hours of digging i finally got it to work, so i'm going to answer my own question in case if samone have the same issue
generally i created a frontend that listen on port:80 and in which i defined 2 ACLs that uses the "if" statement to check the http header and then redirect to one of the backends defined, if no request matches the conditions, we redirect to default backend, here's how it's done (on haproxy.cfg) :
frontend http-proxy
bind *:80
acl is_www hdr(host) -i www.domain.com
acl is_x hdr(host) -i x.domain.com
use_backend clusterWWW if is_www
use_backend clusterX if is_x
default_backend clusterWWW
backend clusterWWW
server bigSRV 192.168.1.10:8082 cookie LSW_WEB01 check
server miniSRV 192.168.2.10:8082 cookie LSW_WEB01 check
backend clusterX
server bigSRV 192.168.1.10:8082 cookie LSW_WEB01 check