I have setup haproxy -X with two backend server Y and Z
My problem is when I call X (haproxy) it redirects correctly to Y or Z but URL is also changed (Containing Y or Z IP), So now I am talking directly to WebServer instead of haProxy Server.
is there a way to retain haProxy IP in requests ?
haproxy.cfg
global
log 127.0.0.1 local0
maxconn 2000
user haproxy
group haproxy
defaults
log global
mode http
option httplog
option dontlognull
contimeout 5000
clitimeout 50000
srvtimeout 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend LB
bind *:80
reqadd X-Forwarded-Proto:\ http
option httplog
default_backend LB
backend LB
mode http
stats enable
stats hide-version
stats uri /stats
stats realm Haproxy\ Statistics
stats auth haproxy:redhat # Credentials for HAProxy Statistic report page.
balance roundrobin # Load balancing will work in round-robin process.
option httpchk
option httpclose
option forwardfor
option httplog
cookie LB insert
server web1-srv 10.164.29.225:80 cookie web1-srv check # backend server.
server web2-srv 10.164.27.31:80 cookie web2-srv check # backend server.
Related
I'm trying to configure a frontend bound to port X, but I want to pass the traffic to my backend on port Y.
For example, let's say X=1337 and Y=8000, I want to basically have something like :
frontend myfrontend
bind *:1337
# some directive to pass traffic on port 8000
default_backend mybackend
backend mybackend
server myserver SERVER_IP
Keep in mind that my actual current config looks like this (minus irrelevant sections) :
defaults
mode tcp
default_backend mybackend
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend myfrontend1
# for example here I want to bind to 3000 and forward to 30000, instead of binding to 30000 directly
bind *:30000
frontend myfrontend2
# for example here I want to bind to 4000 and forward to 30100, instead of binding to 30100 directly
bind *:30100
# and many other frontends...
backend mybackend
mode tcp
balance roundrobin
server server1 PRIVATE_IP1_HERE
server server2 PRIVATE_IP2_HERE
It's basically a Kubernetes cluster, server1 and server2 are nodes I'm load balancing. And because I'm using NodePorts for my services, I'm restricted to ports 30000-32767 only.
You can set the backend port, listing your servers:
frontend myfrontend1
bind *:1337
mode tcp
use_backend mybackend
backend mybackend1
mode tcp
option tcp-check
balance roundrobin
server server1 PRIVATE_IP1_HERE:8080 check
server server2 PRIVATE_IP2_HERE:8080 check
Although if you have multiple frontends, that should connect different ports on the same set of servers: you would need to define separate backends:
frontend myfrontendN
bind *:1337
mode tcp
use_backend mybackendN
backend mybackendN
mode tcp
option tcp-check
balance roundrobin
server server1 PRIVATE_IP1_HERE:N check
server server2 PRIVATE_IP2_HERE:N check
I have a Haproxy to redirect from https://sede.example.com.br to https://sede.example.pub. The problem the Haproxy configuration is not following the redirection.
If I test with the curl command passing -L argument (follow redirects), it works fine
curl -L https://sede.example.com.br
But I need to work without the -L option, because and have an API system that make some Post and Get operation and doesn't follow redirection. So I need do that in the Haproxy.
The configuration:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http-in
option httplog
bind *:80
bind *:443 ssl crt /usr/local/etc/haproxy/haproxy.cfg/certs/
timeout http-request 60s
timeout http-keep-alive 4s
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
stats uri /haproxy?examplehaproxystats74581257445
log-format %{+Q}o\ %{-Q}ci\ -\ -\ [%T]\ %r\ %ST\ %B\ \"\"\ \"\"\ %cp\ %ms\ %ft\ %b\ %s\ \%Tq\ $
acl sede_acl req.hdr(host) -i -m str sede.example.com.br
redirect code 301 prefix https://sede.example.pub if sede_acl
Any ideia in my configuration?
Well you can try the following snipplet, it's untested but I hope you get the idea
frontend http-in
option httplog
bind *:80
bind *:443 ssl crt /usr/local/etc/haproxy/haproxy.cfg/certs/
timeout http-request 60s
timeout http-keep-alive 4s
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
stats uri /haproxy?examplehaproxystats74581257445
log-format %{+Q}o\ %{-Q}ci\ -\ -\ [%T]\ %r\ %ST\ %B\ \"\"\ \"\"\ %cp\ %ms\ %ft\ %b\ %s\ \%Tq\ $
acl sede_acl req.hdr(host) -i -m str sede.example.com.br
# redirect code 301 prefix https://sede.example.pub if sede_acl
use_backend sede_acl if sede_acl
backend sede_acl
http-request set-header Host sede.example.pub
server sede-server sede.example.pub:443 sni sede.example.pub ssl
I have an angular client that calls a rest service deployed on an application server. Between the two stands a haproxy that forwards the requests coming from the client to the REST service. When using Internet explorer and the response time is greater than 1 minute, when the REST service returns, the response is not sent to the client. The client still waits for the response.
This seems to be a haproxy issue since when bypassing haproxy, the request returns as expected after ~3-4 minutes.
I have tried all the different timeouts (client, server, http-request) but nothing seems to solve this.
My haproxy configuration can be found below:
global
log /dev/log local0
#log /dev/log local1 notice
#chroot /var/lib/haproxy
#stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
maxconn 2000
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
tune.maxrewrite 1024
tune.bufsize 32768
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
option log-separate-errors
option redispatch
retries 3
timeout connect 5000
timeout client 1200s
timeout server 1200s
errorfile 400 /var/log/haproxy/errors/400.http
errorfile 403 /var/log/haproxy/errors/403.http
errorfile 408 /var/log/haproxy/errors/408.http
errorfile 500 /var/log/haproxy/errors/500.http
errorfile 502 /var/log/haproxy/errors/502.http
errorfile 503 /var/log/haproxy/errors/503.http
errorfile 504 /var/log/haproxy/errors/504.http
listen haproxy-monitoring
bind *:1900
mode http
stats enable # Enable satistics
stats uri /haproxy?stats # Dashboard URL
stats realm Strictly\ Private
stats auth haproxyanalytics:haproxyanalytics # Username / Password
stats hide-version # Hide the version of HAProxy used
# APACHE web servers
#frontend haproxy-apache
# bind *:8001 transparent
# mode http
# default_backend apache-nodes
frontend http-in
bind *:80 transparent
acl has_special_uri path_beg /cxf
use_backend rest-service if has_special_uri
default_backend apache-web
backend apache-web
mode http
balance roundrobin
option forwardfor # ensures the forwarded request includes the actual client IP address
option httpclose
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
#option httpchk HEAD / HTTP/1.1\r\nHost:localhost # defines the check HAProxy uses to test if a web server is still valid for forwarding requests
server "apache-1" ${CURRENT_NODE_IP}:${APACHE_PORT} check
backend rest-service
mode http
balance roundrobin
option forwardfor # ensures the forwarded request includes the actual client IP address
option httpclose
option accept-invalid-http-request
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
#option httpchk HEAD / HTTP/1.1\r\nHost:localhost # defines the check HAProxy uses to test if a web server is still valid for forwarding requests
server "karaf-1" ${CURRENT_NODE_IP}:${KARAF_REST_PORT} check
I am trying to pass dynamic value based on user_id in haproxy for my java Rest Services.
localhost:/AAA/BBB/{userid}
Following Statement are example
localhost:/AAA/BBB/1
localhost:/AAA/BBB/2
localhost:/AAA/BBB/3
I want to pass it through haproxy . I have following configuration..
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4- SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http
bind *:80
acl msg-listing-read path_end -i /AAA/BBB/{user_id}
use_backend ppl-be-msg-listing-read-dev if msg-listing-read
backend ppl-be-msg-listing-read-dev
balance roundrobin
server ppl-msg-listing-read-dev localhost:8080 maxconn 32 check
listen stats
bind 0.0.0.0:81
stats enable
stats uri /
Any idea will be appreciated and Thanks in Advance.
I have only one PUBLIC IP address and two web servers one for each site I run. I have been trying to setup an HAproxy to redirect the requests to the correct web server, as following:
If user calls www.domain1.com, the HA proxy send this request to internal IP 192.168.0.249
If user calls www.domain2.com, it will be redirect to internal IP 192.168.0.100
I have made some searches on the Internet and I have made the following configuration for HAProxy.
global
log 127.0.0.1 local0 notice
maxconn 2000
user haproxy
group haproxy
defaults
log global
mode http
option httplog
option dontlognull
retries 3
option redispatch
timeout connect 5000
timeout client 10000
timeout server 10000
#stats
listen StatServer 0.0.0.0:80
mode http
stats enable
stats usi /haproxy?stats
stats reaml Strictly\ Private
stats auth user:pass
frontend http-in
bind *:80
default_backend domain1
reqadd X-forwarded-Proto:\ http
acl req_dimain2 hdr_beg(host) -i www.domain2.com
acl req_domain2 hdr_beg(host) -i domain2.com
use_backend domain2 if req_domain2
backend domain2
mode http
balance roundrobin
option httplog
option httpclose
option forwardfor
cookie JSSESIONID prefix
option httpchk HEAD /check.txt HTTP/1.0
server domain2 192.168.0.249 cookie avi_cr weight 1 maxconn 2000 check port 80 inter 2000 rise 2 fall 2
backend dimain1
mode http
balance roundrobin
option httplog
option httpclose
option forwardfor
cookie JESSESSIONID prefix
option httpchk HEAD /check.txt HTTP/1.0
server domain1 192.168.0.100 cookie atc_srv weight 1 maxconn 2000 check port 80 inter 2000 rise 2 fall 2
On haproxy stats page I always have both domain1 and domain2 DOWN and pages got error 503. Any help will be appreciated.
Regards.
Marcio
503 Error means HAproxy server didn't get proper web server.You can check on HAproxy front-end part.