We Keep Coding

Haproxy redirecting

I have a Haproxy to redirect from https://sede.example.com.br to https://sede.example.pub. The problem the Haproxy configuration is not following the redirection.
If I test with the curl command passing -L argument (follow redirects), it works fine
curl -L https://sede.example.com.br
But I need to work without the -L option, because and have an API system that make some Post and Get operation and doesn't follow redirection. So I need do that in the Haproxy.
The configuration:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http-in
option httplog
bind *:80
bind *:443 ssl crt /usr/local/etc/haproxy/haproxy.cfg/certs/
timeout http-request 60s
timeout http-keep-alive 4s
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
stats uri /haproxy?examplehaproxystats74581257445
log-format %{+Q}o\ %{-Q}ci\ -\ -\ [%T]\ %r\ %ST\ %B\ \"\"\ \"\"\ %cp\ %ms\ %ft\ %b\ %s\ \%Tq\ $
acl sede_acl req.hdr(host) -i -m str sede.example.com.br
redirect code 301 prefix https://sede.example.pub if sede_acl
Any ideia in my configuration?

Well you can try the following snipplet, it's untested but I hope you get the idea
frontend http-in
option httplog
bind *:80
bind *:443 ssl crt /usr/local/etc/haproxy/haproxy.cfg/certs/
timeout http-request 60s
timeout http-keep-alive 4s
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
stats uri /haproxy?examplehaproxystats74581257445
log-format %{+Q}o\ %{-Q}ci\ -\ -\ [%T]\ %r\ %ST\ %B\ \"\"\ \"\"\ %cp\ %ms\ %ft\ %b\ %s\ \%Tq\ $
acl sede_acl req.hdr(host) -i -m str sede.example.com.br
# redirect code 301 prefix https://sede.example.pub if sede_acl
use_backend sede_acl if sede_acl
backend sede_acl
http-request set-header Host sede.example.pub
server sede-server sede.example.pub:443 sni sede.example.pub ssl

haproxy randomly responses status code 503

I know there are many questions with this title, but I tried all solutions without any luck.
I have haproxy in front of 2 apache and another third standalone server in debian 9.
when I try mysite.com (backend_g1 in the config file) with https, it is always responding 200. but when I access it using http (that I replace it to https in the haproxy config file), there are 503
responses randomly ! this is my haproxy.cfg:
global
log /dev/log local0 notice
log /dev/log local1 notice
log 127.0.0.1 local2 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
maxconn 512
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
tune.ssl.default-dh-param 2048
defaults
log global
mode http
option httplog
option dontlognull
maxconn 512
timeout connect 5000
timeout client 600000
timeout server 600000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
# HTTP Auth
userlist basic-auth-list
group is-admin
# Plaintext password
user admin password $5$GnrqkuBdodw$./ groups is-admin
frontend stats
bind *:8404
stats enable
stats uri /stats
stats refresh 10s
stats admin if LOCALHOST
frontend http-in
bind *:80
bind *:443 ssl crt /etc/ssl/mysite.com/mysite.com.pem
mode http
acl no_https ssl_fc,not
http-request redirect scheme https code 307 if no_https
acl g0_path path -i str /265952.txt
acl g0_path path -i str /registerInfo.php
acl g0_path path -i str /register
acl g0_path path -i str /register/
acl g0_path path_beg /icon/g0/
acl g0_path path_beg /css/g0/
acl g0_path path_beg /image/g0/
acl g0_path path_beg /icon/favicon/
acl g0_path path_beg /tool/
acl g0_path path_beg /lib/
acl g0_path path_beg /libs/
acl g0_path path_beg /asset/
acl g0_path path_beg /.well-known/
acl g0_path path_beg /pay/
acl g0_path path -i str /testing987.php
acl mysite_shop_id path,map_str(/etc/haproxy/maps/mysite_shop_id.map) -m found
http-request set-path /page?id=%[path,map(/etc/haproxy/maps/mysite_shop_id.map)] if { ssl_fc } mysite_shop_id
acl app_android_myshop path -i str /app/android/mysite-myshop.apk
http-request set-path /download/mobile/android/mysite-myshop.apk if app_android_myshop
acl g0_path path_beg /download/
acl mysite_admin1234567890 path_beg /mysite_admin1234567890/
use_backend backend_g0 if g0_path || app_android_myshop
# use_backend backend_nama if nama_path
use_backend backend_mysite_admin1234567890 if mysite_admin1234567890
default_backend backend_g1
backend backend_g0
balance roundrobin
cookie SERVERID insert
option http-keep-alive
timeout http-keep-alive 10s
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server g0 127.0.0.1:800 cookie g0
backend backend_mysite_admin1234567890
acl devops-auth http_auth_group(basic-auth-list) is-admin
http-request auth realm mysite_admin1234567890 unless devops-auth
option forwardfor
server mysite_admin1234567890 127.0.0.1:19999
http-request set-path %[path,regsub(^/mysite_admin1234567890/,/)]
http-request set-header Host %[src]
http-request set-header X-Forwarded-For %[src]
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header Connection "keep-alive"
backend backend_g1
cookie SERVERID insert
option http-keep-alive
timeout http-keep-alive 20s
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server g1 127.0.0.1:8080 cookie g1

Maybe a mistake:
...
backend backend_g0
balance roundrobin # only on app at the end of this block
cookie SERVERID insert
option http-keep-alive
timeout http-keep-alive 10s
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server g0 127.0.0.1:800 cookie g0 # only one app
...
Maybe you should remove balance roundrobin if you have only one app after
And then
server g0 127.0.0.1:800 cookie g0 # wrong port ?
server g1 127.0.0.1:8080 cookie g1

Internet explorer connection is lost after 1 minute when using haproxy in between

I have an angular client that calls a rest service deployed on an application server. Between the two stands a haproxy that forwards the requests coming from the client to the REST service. When using Internet explorer and the response time is greater than 1 minute, when the REST service returns, the response is not sent to the client. The client still waits for the response.
This seems to be a haproxy issue since when bypassing haproxy, the request returns as expected after ~3-4 minutes.
I have tried all the different timeouts (client, server, http-request) but nothing seems to solve this.
My haproxy configuration can be found below:
global
log /dev/log local0
#log /dev/log local1 notice
#chroot /var/lib/haproxy
#stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
maxconn 2000
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
tune.maxrewrite 1024
tune.bufsize 32768
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
option log-separate-errors
option redispatch
retries 3
timeout connect 5000
timeout client 1200s
timeout server 1200s
errorfile 400 /var/log/haproxy/errors/400.http
errorfile 403 /var/log/haproxy/errors/403.http
errorfile 408 /var/log/haproxy/errors/408.http
errorfile 500 /var/log/haproxy/errors/500.http
errorfile 502 /var/log/haproxy/errors/502.http
errorfile 503 /var/log/haproxy/errors/503.http
errorfile 504 /var/log/haproxy/errors/504.http
listen haproxy-monitoring
bind *:1900
mode http
stats enable # Enable satistics
stats uri /haproxy?stats # Dashboard URL
stats realm Strictly\ Private
stats auth haproxyanalytics:haproxyanalytics # Username / Password
stats hide-version # Hide the version of HAProxy used
# APACHE web servers
#frontend haproxy-apache
# bind *:8001 transparent
# mode http
# default_backend apache-nodes
frontend http-in
bind *:80 transparent
acl has_special_uri path_beg /cxf
use_backend rest-service if has_special_uri
default_backend apache-web
backend apache-web
mode http
balance roundrobin
option forwardfor # ensures the forwarded request includes the actual client IP address
option httpclose
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
#option httpchk HEAD / HTTP/1.1\r\nHost:localhost # defines the check HAProxy uses to test if a web server is still valid for forwarding requests
server "apache-1" ${CURRENT_NODE_IP}:${APACHE_PORT} check
backend rest-service
mode http
balance roundrobin
option forwardfor # ensures the forwarded request includes the actual client IP address
option httpclose
option accept-invalid-http-request
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
#option httpchk HEAD / HTTP/1.1\r\nHost:localhost # defines the check HAProxy uses to test if a web server is still valid for forwarding requests
server "karaf-1" ${CURRENT_NODE_IP}:${KARAF_REST_PORT} check

How to access a backend ressource on / from a /SOMETHING/ path

I am trying to access my router web interface through my HAProxy server. So far, it looks easy! But after a heavy search party, I've come to put my destiny into your hands.
Environment:
Haproxy 1.8.8 which runs into a container.
Freebox Web Portal: https://192.168.1.254.
It should work with a specific path this way:
The User enter into a browser this url:
https://example.com/freebox
The HAProxy Configuration detects the path /freebox on port 443 then forward it to the corresponding backend.
The backend sees the /freebox path and strip it to / so the url looks like this: https://example.com/
This url match the backend url (meant without a specific path) so it should work but does not.
What works for me:
I can use SSL configuration on both sides.
I can detect the correct path and provide the right backend
I can change the detected path and provide the corresponding backend
Frontend: https://example.com/home --> Backend: https://192.168.1.2/domoticz
What I've tried to resolve my issue:
I've changed few thing before the request arrives into the backend:
Frontend www-https
...
acl path_freebox url_beg /freebox
http-request set-header X-Location-Path %[capture.req.uri] if path_freebox
http-request replace-header X-Location-Path /freebox / if path_freebox
http-request redirect location %[hdr(X-Location-Path)] if path_freebox
use_backend backend_freebox if path_freebox
...
I've strip the /freebox to / (FYI the "or" are on in the conf file):
backend backend_freebox
reqirep ^([^\ :]*)\ /freebox/(.*) \1\2
or
reqrep ^([^\ ]*\ /)freebox[/]?(.*) \1\2
or
reqirep ^([^\ :]*)\ /freebox/(.*) \1\ /\2
or
reqrep ^([^\ ]*\ /)freebox[/]?(.*) \1\/\2
or
http-request set-path %[path,regsub(^/freebox/?,/)]
or
http-request set-uri %[url,regsub(^/freebox,/,)]
server freebox 192.168.1.254:443 ssl verify none
I've set headers then strip the path:
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
reqirep ^([^\ :]*)\ /freebox/(.*) \1\2
server freebox 192.168.1.254:443 ssl verify none
I've changed the origin then strip the trailing path:
http-request set-header Orig-Path /freebox/
http-request set-header X-Script-Path /freebox/
http-request set-header Host example.com
or
http-request set-header Orig-Path /freebox
http-request set-header X-Script-Path /freebox
http-request set-header Host example.com
reqirep ^([^\ :]*)\ /freebox/(.*) \1\2
server freebox 192.168.1.254:443 ssl verify none
This one half worked, I could get a view of the portal with that method, but could not use it as "Error" was written on it.
My full HAProxy Configuration:
global
# Logging to rsyslog on localhost local2
log 127.0.0.1 local2 debug
# System Security
#chroot /var/lib/haproxy
#stats socket /run/haproxy/admin.sock mode 660 level admin
#stats timeout 30s
#user haproxy
#group haproxy
# Start as daemon
daemon
# Default SSL Ciphers
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
tune.ssl.default-dh-param 2048
defaults
mode tcp
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
errorfile 400 /usr/local/etc/haproxy/errors/400.http
errorfile 403 /usr/local/etc/haproxy/errors/403.http
errorfile 408 /usr/local/etc/haproxy/errors/408.http
errorfile 500 /usr/local/etc/haproxy/errors/500.http
errorfile 502 /usr/local/etc/haproxy/errors/502.http
errorfile 503 /usr/local/etc/haproxy/errors/503.http
errorfile 504 /usr/local/etc/haproxy/errors/504.http
frontend www-https
# Bind this frontend to the port 443 with ssl configuration
bind *:443 ssl crt /etc/ssl/example.com
mode http
# Full logging to localhost
log 127.0.0.1 local2
option httplog
# Whitelist
#acl network_allowed src 20.30.40.50 8.9.9.0/27
#tcp-request connection reject if !network_allowed
# Pour forwarder l'identité des clients (To be verified)
reqadd X-Forwarded-Proto:\ http
reqadd X-Forwarded-Proto:\ https
# Default Backend
default_backend backend_trash
# ACLs to determine the backend defined on the path
acl path_domoticz url_beg /domoticz/
use_backend backend_domoticz if path_domoticz
acl path_gitlab url_beg /gitlab
use_backend backend_gitlab if path_gitlab
acl path_pihole url_beg /pihole
use_backend backend_pihole if path_pihole
acl path_freebox url_beg /freebox
use_backend backend_freebox if path_freebox
#acl path_orbi url_beg /orbi
#use_backend backend_orbi if path_orbi
# Backend Configuration
backend backend_domoticz
mode http
server domoticz 192.168.1.2:443 ssl verify none
backend backend_gitlab
mode http
server gitlab 192.168.1.6:443 ssl verify none
backend backend_pihole
mode http
reqirep ^([^\ :]*)\ /pihole/(.*) \1\ /hole/\2
server hole 192.168.1.8:443 ssl verify none
backend backend_freebox
mode http
#option forwardfor
#http-request set-header X-Forwarded-Port %[dst_port]
#http-request add-header X-Forwarded-Proto https if { ssl_fc }
#option httpchk HEAD / HTTP/1.1\r\nHost:localhost
#reqrep ^([^\ ]*\ /)freebox[/]?(.*) \1\2
#reqirep ^([^\ :]*)\ /freebox/(.*) \1\2
#http-request set-uri %[url,regsub(^/freebox,/,)]
#http-request set-path %[path,regsub(^/freebox/?,/)]
#http-request set-header Orig-Path /freebox/
#http-request set-header X-Script-Path /freebox/
#http-request set-header Host starfly.ovh
#reqirep ^([^\ :]*)\ /freebox/(.*) \1\ /\2
#reqrep ^([^\ ]*\ /)freebox[/]?(.*) \1\/\2
server freebox 192.168.1.254:443 ssl verify none
#backend backend_orbi
#(Not Working)
#mode http
#reqirep ^([^\ :]*)\ /orbi/(.*) \1\2
#server orbi 192.168.1.56:443 ssl verify none
backend backend_trash
mode http
http-request deny
Expected behavior:
I wish I could keep my trailing path /freebox and still access the backend on /.
I don't know if it is possible, may be you guys can help me figure it out ?
Thanks a lot !

Haproxy multiple backends accessed with same path

I have 4 java apps running on my server, 2 primary & 2 subapps, that I need to access via Haproxy.
app1 ----> listens on tcp:8442 accessed at app1.domain.org
subapp1 ----> listens on tcp:9001 and is accessed with path app1.domain.org/abc
app2 ----> listens on tcp:8444 accessed at app2.domain.org
subapp2 ----> listens on tcp:9000 and is accessed with path app2.domain.org/abc
so the sub apps are both accessed using the same path
I'm having trouble getting Haproxy to route requests to the correct sub app. With the included config accessing the primary apps is working fine, but depending on the order of the use_backend statements, all sub app requests are being routed to the same back end (which ever is listed first). No difference is observed if I reorder the ACL's though. It seems like the ACL's are not correctly matching the inbound request.
Any help is appreciated!
my config:
global
log localhost local1
log-send-hostname server-hostname
maxconn 1024
user root
group root
daemon
pidfile /var/run/haproxy.pid
ssl-default-bind-options no-sslv3 no-tls-tickets
defaults
log global
mode http
option dontlognull
option forwardfor
no option http-server-close
no option accept-invalid-http-request
timeout client 600s
timeout client-fin 10s
timeout server 600s
stats enable
stats auth user:password
stats uri /haproxyStats
listen admin
mode http
bind *:8080
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth user:password
frontend http-in
bind *:80
acl invalid_src src 0.0.0.0/7 224.0.0.0/3
acl invalid_src src_port 0:1023
http-request deny if invalid_src
option tcplog
log-format %ci\ %f\ %b\ %ST\ %{+Q}r\ %Tr
redirect scheme https code 301 if !{ ssl_fc }
frontend https-in
bind *:443 ssl crt /etc/haproxy/ssl.cert
mode http
acl test_sapp path_beg -i /abc
acl test_sapp hdr(host) -m dom -i *app2.domain.com*
acl prod_sapp path_beg -i /abc
acl prod_sapp hdr(host) -m dom -i *app1.domain.com*
acl test_app1 hdr_end(host) -i app2.domain.com
acl prod_app1 hdr_end(host) -i app1.domain.com
acl invalid_src src 0.0.0.0/7 224.0.0.0/3
acl invalid_src src_port 0:1023
http-request deny if invalid_src
option tcplog
log-format %r
reqadd X-Forwarded-Proto:\ https
use_backend sapp-test if test_sapp
use_backend sapp-prod if prod_sapp
use_backend app-prod if prod_app1
use_backend app-test if test_app1
timeout client 600s
timeout client-fin 10s
backend app-prod
balance leastconn
option httpclose
option forwardfor
server prod-web-node 127.0.0.1:8442 cookie A check
timeout server 600s
backend app-test
option httpclose
option forwardfor
server test-web-node 127.0.0.1:8444 cookie A check
timeout server 600s
backend sapp-prod
balance leastconn
option httpclose
option forwardfor
server prod-mdr-node 127.0.0.1:9001 cookie A check
timeout server 600s
backend sapp-test
balance leastconn
option httpclose
option forwardfor
server test-mdr-node 127.0.0.1:9000 cookie A check
timeout server 600s

This is untested but I think this https-in frontend should work:
frontend https-in
bind *:443 ssl crt /etc/haproxy/ssl.cert
mode http
acl prod_domain hdr(host) -i app1.domain.com
acl test_domain hdr(host) -i app2.domain.com
acl sub_app path_beg -i /abc
acl invalid_src src 0.0.0.0/7 224.0.0.0/3
acl invalid_src src_port 0:1023
http-request deny if invalid_src
option tcplog
log-format %r
reqadd X-Forwarded-Proto:\ https
use_backend sapp-test if sub_app test_domain
use_backend sapp-prod if sub_app prod_domain
use_backend app-prod if prod_domain
use_backend app-test if test_domain
timeout client 600s
timeout client-fin 10s
The key is on the use_backend sapp-test and use_backend sapp-prod lines where the backend is only selected if both the sub_app acl and the test_domain/prod_domain acl are true. Otherwise it falls back to either the app-prod or app-test backends.
Hope that helps :)