I have setup HAPROXY on top of Apache which is working fine but I am not able make api call from other domain, It was CORS issues so I added
rspadd Access-Control-Allow-Origin:\ *
But still it is not adding response headers in api call.
Please let me know. Is there any other way to achieve it?
Here is my whole haproxy.cfg file
global
log 127.0.0.1 local2
#log 127.0.0.1 local1 notice
#log loghost local0 info
#log /dev/log local0 info
log-tag haproxy
maxconn 4096
chroot /usr/share/haproxy
uid 99
gid 99
daemon
debug
#quiet
defaults
log global
mode http
option httplog
option dontlognull
retries 3
redispatch
maxconn 2000
contimeout 5000
clitimeout 5000
srvtimeout 5000
frontend https
#bind *:80
bind *:443 ssl crt /etc/ssl/certs/server.bundle.pem
option http-buffer-request
declare capture request len 400000
http-request capture req.body id 0
log-format {"%[capture.req.hdr(0)]"}
# /opt/causeway/etc/libwebsockets-cpa.pem
acl httpsapi path_beg /API
use_backend serv_https_api if httpsapi
default_backend default_apache
frontend http
bind *:80
#bind *:443 ssl crt /etc/ssl/certs/server.bundle.pem
acl api path_beg /api
use_backend serv_api if api
default_backend default_apache
backend default_apache
server apache 127.0.0.1:81
backend serv_api
server server1 127.0.0.1:7687
rspadd Access-Control-Allow-Origin:\ *
rspadd Access-Control-Max-Age:\ 31536000
backend serv_https_api
server server2 127.0.0.1:7687
rspadd Access-Control-Allow-Origin:\ *
rspadd Access-Control-Max-Age:\ 31536000
# mode tcp
# log global
# tcp-request inspect-delay 5s
# tcp-request content accept if { req.ssl_hello_type 1 }
Any help highly appriciated.
Related
can you help me with that issue,
i have 2 old domains (www.rvsite.com,rvsite.com) and want to redirect it to new domain www.rv-site.com with haproxy.
haproxy.cfg
# Global settings
#---------------------------------------------------------------------
global
log /dev/log local0 info
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
ssl-server-verify none
user haproxy
group haproxy
daemon
#---------------------------------------------------------------------
defaults
log global
timeout client 10m
timeout connect 10m
timeout server 10m
mode http
option tcplog
option http-keep-alive
option http-use-htx
#---------------------------------------------------------------------
frontend rvsite-front
mode http
log global
option forwardfor
bind *:80 alpn h2,http/1.1
bind *:443 ssl crt /etc/ssl/rv-ssl/rv.pem crt /etc/ssl/rv-ssl/rvsite.pem
acl rvredirect hdr(host) -i rvsite.com www.rendezvous.com
http-request redirect scheme https code 301 unless { ssl_fc }
use_backend rvsite-back if rvredirect
default_backend rvsite-back
backend rvsite-back
mode http
log global
server backend 10.3.3.236:8443 check ssl verify none
On different hosts, there are two identical sites on IIS web servers, access to them is open on two ports 443 and 9000, if I turn on both hosts in haproxy, then when the site page is opened, an endless page refresh cycle occurs. It works if you disable one of the catches or specify the weight as srv1 weight 100 srv2 weight 0. How can I fix this?
My haproxy config:
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
# log /dev/log local0
# log /dev/log local1 notice
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 10000
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/lib/haproxy/stats mode 666 level user
ssl-default-bind-options no-sslv3
ssl-default-bind-ciphers EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL:!RC4
# ssl-server-verify none
defaults
mode http
log global
option httplog
option dontlognull
#option http-server-close
#option forwardfor except 127.0.0.0/8
#option redispatch
retries 10
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 150s
timeout http-keep-alive 65s
timeout check 10s
maxconn 10000
log-format "%{+Q}o\ client = %ci:%cp, server = %si:%sp path = %HU, status = %ST, %b, t_простоя = %Ti, t_отклика = %Tr, t_сеанса = %Tt, request = %r, byte = %B"
frontend stats
bind *:8404
http-request use-service prometheus-exporter if { path /metrics }
no log
stats enable
stats uri /stats
stats refresh 10s
stats auth adm:123
frontend http
bind *:80
mode http
redirect scheme https if !{ ssl_fc }
frontend https
bind *:443 ssl crt /etc/haproxy/tls/haproxy.pem alpn h2,http/1.1
bind *:9000 ssl crt /etc/haproxy/tls/haproxy.pem alpn h2,http/1.1
option forwardfor
option http-keep-alive
http-request add-header X-Forwarded-Proto https
http-request set-header X-Client-IP %[src]
errorloc 404 https://xxxx.com/500
errorloc 500 https://xxxx.com/500
errorloc 503 https://xxxx.com/500
errorloc 504 https://xxxx.com/500
use_backend https if { hdr(host) -i xxxx.com }
use_backend 9000 if { hdr(host) -i xxxx.com:9000 }
backend https
balance roundrobin
server srv1 192.168.1.11:443 check cookie srv1 weight 80 ssl verify none
server srv2 192.168.1.111:443 check cookie srv2 weight 20 ssl verify none
backend 9000
balance roundrobin
server srv1 192.168.1.11:9000 check cookie srv1 weight 80 ssl verify none
server srv2 192.168.1.111:9000 check cookie srv2 weight 20 ssl verify none
You are using the "cookie" strategy for loadbalancing, but no way to set this cookie :
balance roundrobin
server srv1 192.168.1.11:443 check cookie srv1 weight 80 ssl verify none
server srv2 192.168.1.111:443 check cookie srv2 weight 20 ssl verify none
As a result, the client communicates with both server alternatively. This does not suit well with IIS (and/or underlying technos).
Simply tell HAProxy which cookie to use/set. For example, a cookie named SERVERID :
balance roundrobin
cookie SERVERID insert indirect nocache
server srv1 192.168.1.11:443 check cookie srv1 weight 80 ssl verify none
server srv2 192.168.1.111:443 check cookie srv2 weight 20 ssl verify none
If the client already has a SERVERID cookie, then HAProxy sends the traffic to the corresponding server.
If the client does not have a SERVERID cookie, then HAProxy chooses and instructs the client to Set-Cookie: SERVERID=s1 for example.
Source : https://www.haproxy.com/blog/load-balancing-affinity-persistence-sticky-sessions-what-you-need-to-know/
I have an angular client that calls a rest service deployed on an application server. Between the two stands a haproxy that forwards the requests coming from the client to the REST service. When using Internet explorer and the response time is greater than 1 minute, when the REST service returns, the response is not sent to the client. The client still waits for the response.
This seems to be a haproxy issue since when bypassing haproxy, the request returns as expected after ~3-4 minutes.
I have tried all the different timeouts (client, server, http-request) but nothing seems to solve this.
My haproxy configuration can be found below:
global
log /dev/log local0
#log /dev/log local1 notice
#chroot /var/lib/haproxy
#stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
maxconn 2000
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
tune.maxrewrite 1024
tune.bufsize 32768
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
log global
mode http
option httplog
option dontlognull
option log-separate-errors
option redispatch
retries 3
timeout connect 5000
timeout client 1200s
timeout server 1200s
errorfile 400 /var/log/haproxy/errors/400.http
errorfile 403 /var/log/haproxy/errors/403.http
errorfile 408 /var/log/haproxy/errors/408.http
errorfile 500 /var/log/haproxy/errors/500.http
errorfile 502 /var/log/haproxy/errors/502.http
errorfile 503 /var/log/haproxy/errors/503.http
errorfile 504 /var/log/haproxy/errors/504.http
listen haproxy-monitoring
bind *:1900
mode http
stats enable # Enable satistics
stats uri /haproxy?stats # Dashboard URL
stats realm Strictly\ Private
stats auth haproxyanalytics:haproxyanalytics # Username / Password
stats hide-version # Hide the version of HAProxy used
# APACHE web servers
#frontend haproxy-apache
# bind *:8001 transparent
# mode http
# default_backend apache-nodes
frontend http-in
bind *:80 transparent
acl has_special_uri path_beg /cxf
use_backend rest-service if has_special_uri
default_backend apache-web
backend apache-web
mode http
balance roundrobin
option forwardfor # ensures the forwarded request includes the actual client IP address
option httpclose
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
#option httpchk HEAD / HTTP/1.1\r\nHost:localhost # defines the check HAProxy uses to test if a web server is still valid for forwarding requests
server "apache-1" ${CURRENT_NODE_IP}:${APACHE_PORT} check
backend rest-service
mode http
balance roundrobin
option forwardfor # ensures the forwarded request includes the actual client IP address
option httpclose
option accept-invalid-http-request
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
#option httpchk HEAD / HTTP/1.1\r\nHost:localhost # defines the check HAProxy uses to test if a web server is still valid for forwarding requests
server "karaf-1" ${CURRENT_NODE_IP}:${KARAF_REST_PORT} check
Here is my haproxy configuration
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 16384
user haproxy
group haproxy
daemon
# turn on stats unix socket
stats socket /var/run/haproxy.cmd
defaults
mode http
log global
option httplog
option dontlognull
option httpclose
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 20s
timeout client 45s
timeout server 45s
timeout check 20s
maxconn 16384
listen stats :9000
mode http
stats enable
stats uri /haproxy
stats realm HAProxy\ Statistics
stats auth haproxy:password
stats admin if TRUE
listen http :80
#balance leastconn
#balance roundrobin
balance source
option http-server-close
option forwardfor
server web1 10.0.2.10:8080 check inter 3000 rise 2 fall 3
server web2 10.0.2.11:8080 check inter 3000 rise 2 fall 3
# acl has_www hdr_beg(host) -i www
# http-request redirect code 301 location myapp
It is working like this:
I type http://www.example.com:8000 or http://www.example.com so it goes to jboss's 8080 port.
My application is actually accessible through example.com/suite but because the port 80 is blocked by ISP, that's why I am using the port 8000 and because of this; my application is accessible through example.com:8000/mypp
I want to use haproxy config to forward whoever types example.com:8000 to example.com:8000/myapp
How to achieve it?
I am missing something right?
When you define "Server" in your backend nodes section, you can have URI attached to the IP and port like below to achieve what you are looking for,
defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
frontend localnodes
bind 0.0.0.0:9876
mode http
default_backend nodes
backend nodes
mode http
balance roundrobin
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
server web01 127.0.0.1:8443/**myApp** check
I have 4 java apps running on my server, 2 primary & 2 subapps, that I need to access via Haproxy.
app1 ----> listens on tcp:8442 accessed at app1.domain.org
subapp1 ----> listens on tcp:9001 and is accessed with path app1.domain.org/abc
app2 ----> listens on tcp:8444 accessed at app2.domain.org
subapp2 ----> listens on tcp:9000 and is accessed with path app2.domain.org/abc
so the sub apps are both accessed using the same path
I'm having trouble getting Haproxy to route requests to the correct sub app. With the included config accessing the primary apps is working fine, but depending on the order of the use_backend statements, all sub app requests are being routed to the same back end (which ever is listed first). No difference is observed if I reorder the ACL's though. It seems like the ACL's are not correctly matching the inbound request.
Any help is appreciated!
my config:
global
log localhost local1
log-send-hostname server-hostname
maxconn 1024
user root
group root
daemon
pidfile /var/run/haproxy.pid
ssl-default-bind-options no-sslv3 no-tls-tickets
defaults
log global
mode http
option dontlognull
option forwardfor
no option http-server-close
no option accept-invalid-http-request
timeout client 600s
timeout client-fin 10s
timeout server 600s
stats enable
stats auth user:password
stats uri /haproxyStats
listen admin
mode http
bind *:8080
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth user:password
frontend http-in
bind *:80
acl invalid_src src 0.0.0.0/7 224.0.0.0/3
acl invalid_src src_port 0:1023
http-request deny if invalid_src
option tcplog
log-format %ci\ %f\ %b\ %ST\ %{+Q}r\ %Tr
redirect scheme https code 301 if !{ ssl_fc }
frontend https-in
bind *:443 ssl crt /etc/haproxy/ssl.cert
mode http
acl test_sapp path_beg -i /abc
acl test_sapp hdr(host) -m dom -i *app2.domain.com*
acl prod_sapp path_beg -i /abc
acl prod_sapp hdr(host) -m dom -i *app1.domain.com*
acl test_app1 hdr_end(host) -i app2.domain.com
acl prod_app1 hdr_end(host) -i app1.domain.com
acl invalid_src src 0.0.0.0/7 224.0.0.0/3
acl invalid_src src_port 0:1023
http-request deny if invalid_src
option tcplog
log-format %r
reqadd X-Forwarded-Proto:\ https
use_backend sapp-test if test_sapp
use_backend sapp-prod if prod_sapp
use_backend app-prod if prod_app1
use_backend app-test if test_app1
timeout client 600s
timeout client-fin 10s
backend app-prod
balance leastconn
option httpclose
option forwardfor
server prod-web-node 127.0.0.1:8442 cookie A check
timeout server 600s
backend app-test
option httpclose
option forwardfor
server test-web-node 127.0.0.1:8444 cookie A check
timeout server 600s
backend sapp-prod
balance leastconn
option httpclose
option forwardfor
server prod-mdr-node 127.0.0.1:9001 cookie A check
timeout server 600s
backend sapp-test
balance leastconn
option httpclose
option forwardfor
server test-mdr-node 127.0.0.1:9000 cookie A check
timeout server 600s
This is untested but I think this https-in frontend should work:
frontend https-in
bind *:443 ssl crt /etc/haproxy/ssl.cert
mode http
acl prod_domain hdr(host) -i app1.domain.com
acl test_domain hdr(host) -i app2.domain.com
acl sub_app path_beg -i /abc
acl invalid_src src 0.0.0.0/7 224.0.0.0/3
acl invalid_src src_port 0:1023
http-request deny if invalid_src
option tcplog
log-format %r
reqadd X-Forwarded-Proto:\ https
use_backend sapp-test if sub_app test_domain
use_backend sapp-prod if sub_app prod_domain
use_backend app-prod if prod_domain
use_backend app-test if test_domain
timeout client 600s
timeout client-fin 10s
The key is on the use_backend sapp-test and use_backend sapp-prod lines where the backend is only selected if both the sub_app acl and the test_domain/prod_domain acl are true. Otherwise it falls back to either the app-prod or app-test backends.
Hope that helps :)