I have a server running multiple web apps on different ports without any root application path. I can currently access them by, http://myServer:8001, http://myServer:8002, etc and I would like to access them via HaProxy as http://myServer/app1, http://myServer/app2, etc
I found multiple links using reqrep but i could not make it work. Here is my last attempt before I gave up:
frontend http-in
option forwardfor
bind *:80
acl is-app1 path_beg /app1
use_backend app1 if is-app1
acl is-app2 path_beg /app2
use_backend app2 if is-app2
backend app1
reqrep ^Location:\ /app1/?(.*) Location:\ /\1
rsprep ^Location:\ (.*) Location:\ /app1/\1
server localhost 127.0.0.1:8001
backend app2
reqrep ^Location:\ /app2/?(.*) Location:\ /\1
rsprep ^Location:\ (.*) Location:\ /app2/\1
server localhost 127.0.0.1:8002
From the examples i saw, i expected this single line to be enough (no need for rsprep), but i can't make it work.
reqrep ^([^\ :]*)\ /app1/?(.*) \1\ /\2
Give this a try - you may have to modify a little to suit your requirements.
frontend http-in
bind *:80
mode http
option httplog
option dontlognull
option forwardfor
# if "/app1"
use_backend app1 if { path_beg /app1/ }
# if "/app2"
use_backend app2 if { path_beg /app2/ }
backend app1
reqrep ^([^\ :]*)\ /app1/(.*) \1\ /\2
option forwardfor
server localhost 127.0.0.1:8001
backend app2
reqrep ^([^\ :]*)\ /app2/(.*) \1\ /\2
option forwardfor
server localhost 127.0.0.1:8002
Related
I am trying to access my router web interface through my HAProxy server. So far, it looks easy! But after a heavy search party, I've come to put my destiny into your hands.
Environment:
Haproxy 1.8.8 which runs into a container.
Freebox Web Portal: https://192.168.1.254.
It should work with a specific path this way:
The User enter into a browser this url:
https://example.com/freebox
The HAProxy Configuration detects the path /freebox on port 443 then forward it to the corresponding backend.
The backend sees the /freebox path and strip it to / so the url looks like this: https://example.com/
This url match the backend url (meant without a specific path) so it should work but does not.
What works for me:
I can use SSL configuration on both sides.
I can detect the correct path and provide the right backend
I can change the detected path and provide the corresponding backend
Frontend: https://example.com/home --> Backend: https://192.168.1.2/domoticz
What I've tried to resolve my issue:
I've changed few thing before the request arrives into the backend:
Frontend www-https
...
acl path_freebox url_beg /freebox
http-request set-header X-Location-Path %[capture.req.uri] if path_freebox
http-request replace-header X-Location-Path /freebox / if path_freebox
http-request redirect location %[hdr(X-Location-Path)] if path_freebox
use_backend backend_freebox if path_freebox
...
I've strip the /freebox to / (FYI the "or" are on in the conf file):
backend backend_freebox
reqirep ^([^\ :]*)\ /freebox/(.*) \1\2
or
reqrep ^([^\ ]*\ /)freebox[/]?(.*) \1\2
or
reqirep ^([^\ :]*)\ /freebox/(.*) \1\ /\2
or
reqrep ^([^\ ]*\ /)freebox[/]?(.*) \1\/\2
or
http-request set-path %[path,regsub(^/freebox/?,/)]
or
http-request set-uri %[url,regsub(^/freebox,/,)]
server freebox 192.168.1.254:443 ssl verify none
I've set headers then strip the path:
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
reqirep ^([^\ :]*)\ /freebox/(.*) \1\2
server freebox 192.168.1.254:443 ssl verify none
I've changed the origin then strip the trailing path:
http-request set-header Orig-Path /freebox/
http-request set-header X-Script-Path /freebox/
http-request set-header Host example.com
or
http-request set-header Orig-Path /freebox
http-request set-header X-Script-Path /freebox
http-request set-header Host example.com
reqirep ^([^\ :]*)\ /freebox/(.*) \1\2
server freebox 192.168.1.254:443 ssl verify none
This one half worked, I could get a view of the portal with that method, but could not use it as "Error" was written on it.
My full HAProxy Configuration:
global
# Logging to rsyslog on localhost local2
log 127.0.0.1 local2 debug
# System Security
#chroot /var/lib/haproxy
#stats socket /run/haproxy/admin.sock mode 660 level admin
#stats timeout 30s
#user haproxy
#group haproxy
# Start as daemon
daemon
# Default SSL Ciphers
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
tune.ssl.default-dh-param 2048
defaults
mode tcp
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
errorfile 400 /usr/local/etc/haproxy/errors/400.http
errorfile 403 /usr/local/etc/haproxy/errors/403.http
errorfile 408 /usr/local/etc/haproxy/errors/408.http
errorfile 500 /usr/local/etc/haproxy/errors/500.http
errorfile 502 /usr/local/etc/haproxy/errors/502.http
errorfile 503 /usr/local/etc/haproxy/errors/503.http
errorfile 504 /usr/local/etc/haproxy/errors/504.http
frontend www-https
# Bind this frontend to the port 443 with ssl configuration
bind *:443 ssl crt /etc/ssl/example.com
mode http
# Full logging to localhost
log 127.0.0.1 local2
option httplog
# Whitelist
#acl network_allowed src 20.30.40.50 8.9.9.0/27
#tcp-request connection reject if !network_allowed
# Pour forwarder l'identité des clients (To be verified)
reqadd X-Forwarded-Proto:\ http
reqadd X-Forwarded-Proto:\ https
# Default Backend
default_backend backend_trash
# ACLs to determine the backend defined on the path
acl path_domoticz url_beg /domoticz/
use_backend backend_domoticz if path_domoticz
acl path_gitlab url_beg /gitlab
use_backend backend_gitlab if path_gitlab
acl path_pihole url_beg /pihole
use_backend backend_pihole if path_pihole
acl path_freebox url_beg /freebox
use_backend backend_freebox if path_freebox
#acl path_orbi url_beg /orbi
#use_backend backend_orbi if path_orbi
# Backend Configuration
backend backend_domoticz
mode http
server domoticz 192.168.1.2:443 ssl verify none
backend backend_gitlab
mode http
server gitlab 192.168.1.6:443 ssl verify none
backend backend_pihole
mode http
reqirep ^([^\ :]*)\ /pihole/(.*) \1\ /hole/\2
server hole 192.168.1.8:443 ssl verify none
backend backend_freebox
mode http
#option forwardfor
#http-request set-header X-Forwarded-Port %[dst_port]
#http-request add-header X-Forwarded-Proto https if { ssl_fc }
#option httpchk HEAD / HTTP/1.1\r\nHost:localhost
#reqrep ^([^\ ]*\ /)freebox[/]?(.*) \1\2
#reqirep ^([^\ :]*)\ /freebox/(.*) \1\2
#http-request set-uri %[url,regsub(^/freebox,/,)]
#http-request set-path %[path,regsub(^/freebox/?,/)]
#http-request set-header Orig-Path /freebox/
#http-request set-header X-Script-Path /freebox/
#http-request set-header Host starfly.ovh
#reqirep ^([^\ :]*)\ /freebox/(.*) \1\ /\2
#reqrep ^([^\ ]*\ /)freebox[/]?(.*) \1\/\2
server freebox 192.168.1.254:443 ssl verify none
#backend backend_orbi
#(Not Working)
#mode http
#reqirep ^([^\ :]*)\ /orbi/(.*) \1\2
#server orbi 192.168.1.56:443 ssl verify none
backend backend_trash
mode http
http-request deny
Expected behavior:
I wish I could keep my trailing path /freebox and still access the backend on /.
I don't know if it is possible, may be you guys can help me figure it out ?
Thanks a lot !
I have 4 java apps running on my server, 2 primary & 2 subapps, that I need to access via Haproxy.
app1 ----> listens on tcp:8442 accessed at app1.domain.org
subapp1 ----> listens on tcp:9001 and is accessed with path app1.domain.org/abc
app2 ----> listens on tcp:8444 accessed at app2.domain.org
subapp2 ----> listens on tcp:9000 and is accessed with path app2.domain.org/abc
so the sub apps are both accessed using the same path
I'm having trouble getting Haproxy to route requests to the correct sub app. With the included config accessing the primary apps is working fine, but depending on the order of the use_backend statements, all sub app requests are being routed to the same back end (which ever is listed first). No difference is observed if I reorder the ACL's though. It seems like the ACL's are not correctly matching the inbound request.
Any help is appreciated!
my config:
global
log localhost local1
log-send-hostname server-hostname
maxconn 1024
user root
group root
daemon
pidfile /var/run/haproxy.pid
ssl-default-bind-options no-sslv3 no-tls-tickets
defaults
log global
mode http
option dontlognull
option forwardfor
no option http-server-close
no option accept-invalid-http-request
timeout client 600s
timeout client-fin 10s
timeout server 600s
stats enable
stats auth user:password
stats uri /haproxyStats
listen admin
mode http
bind *:8080
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth user:password
frontend http-in
bind *:80
acl invalid_src src 0.0.0.0/7 224.0.0.0/3
acl invalid_src src_port 0:1023
http-request deny if invalid_src
option tcplog
log-format %ci\ %f\ %b\ %ST\ %{+Q}r\ %Tr
redirect scheme https code 301 if !{ ssl_fc }
frontend https-in
bind *:443 ssl crt /etc/haproxy/ssl.cert
mode http
acl test_sapp path_beg -i /abc
acl test_sapp hdr(host) -m dom -i *app2.domain.com*
acl prod_sapp path_beg -i /abc
acl prod_sapp hdr(host) -m dom -i *app1.domain.com*
acl test_app1 hdr_end(host) -i app2.domain.com
acl prod_app1 hdr_end(host) -i app1.domain.com
acl invalid_src src 0.0.0.0/7 224.0.0.0/3
acl invalid_src src_port 0:1023
http-request deny if invalid_src
option tcplog
log-format %r
reqadd X-Forwarded-Proto:\ https
use_backend sapp-test if test_sapp
use_backend sapp-prod if prod_sapp
use_backend app-prod if prod_app1
use_backend app-test if test_app1
timeout client 600s
timeout client-fin 10s
backend app-prod
balance leastconn
option httpclose
option forwardfor
server prod-web-node 127.0.0.1:8442 cookie A check
timeout server 600s
backend app-test
option httpclose
option forwardfor
server test-web-node 127.0.0.1:8444 cookie A check
timeout server 600s
backend sapp-prod
balance leastconn
option httpclose
option forwardfor
server prod-mdr-node 127.0.0.1:9001 cookie A check
timeout server 600s
backend sapp-test
balance leastconn
option httpclose
option forwardfor
server test-mdr-node 127.0.0.1:9000 cookie A check
timeout server 600s
This is untested but I think this https-in frontend should work:
frontend https-in
bind *:443 ssl crt /etc/haproxy/ssl.cert
mode http
acl prod_domain hdr(host) -i app1.domain.com
acl test_domain hdr(host) -i app2.domain.com
acl sub_app path_beg -i /abc
acl invalid_src src 0.0.0.0/7 224.0.0.0/3
acl invalid_src src_port 0:1023
http-request deny if invalid_src
option tcplog
log-format %r
reqadd X-Forwarded-Proto:\ https
use_backend sapp-test if sub_app test_domain
use_backend sapp-prod if sub_app prod_domain
use_backend app-prod if prod_domain
use_backend app-test if test_domain
timeout client 600s
timeout client-fin 10s
The key is on the use_backend sapp-test and use_backend sapp-prod lines where the backend is only selected if both the sub_app acl and the test_domain/prod_domain acl are true. Otherwise it falls back to either the app-prod or app-test backends.
Hope that helps :)
I would like to redirect request from:
http://myrepo/mytest.git/
to
http://myrepo/mytest.git
so, removing the trailing slash in haproxy. any hint ?
Here's what I tried both in frontend and backend:
reqrep ^(.*)[\/]$ \1
you can try like this.
frontend nginx
bind *:5000
mode http
option forwardfor
option httpclose
acl old_url path_beg -i /mytest.git
reqrep ^(.*)[\ /]$ \1
redirect prefix / code 301 if old_url
default_backend tomcats
backend tomcats
mode http
server tomcat01 X.X.X.X:8080 check inter 2000
If it's possible to disable https on some url, i try this, but it's not working.
I need a piece of my site without https and redirect
frontend http
bind *:80
mode http
acl folder path_beg -i ^/somefolder/subfolder/.* ^/somefolder/subfolder2/.*
redirect scheme https if !folder
option http-server-close
reqadd X-Forwarded-Proto:\ http
option forwardfor header X-Real-IP
default_backend nodes
frontend https
bind *:443
mode http
option http-server-close
reqadd X-Forwarded-Proto:\ https
option forwardfor header X-Real-IP
default_backend nodes
backend nodes
balance leastconn
server server1 10.10.10.7:80 cookie A check
server server2 10.10.10.8:80 cookie A check
Access list
acl folder path_dir -i /somefolder/subfolder/ /somefolder/subfolder2/
In backend you need rule
redirect scheme https if !folder !{ ssl_fc }
After that - all site has redirect to htts, but if uri contains /somefolder/subfolder/ or /somefolder/subfolder2/ it's be able to connect by http.
In nginx you need add some rules if you wanna redirect https to http
if ( $http_x_forwarded_proto = "https" ) {
rewrite ^/somefolder/subfolder2/ http://domain//somefolder/subfolder2/ permanent;
}
I am experiencing some problems, it seems I can't get acl's to work in tcp mode, everything works in http mode.
Here is my config.
frontend http *:80
acl http_test_acl path_beg -i /test
use_backend http_test if http_test_acl
default_backend http_default
backend http_test
balance roundrobin
server httptest 10.10.10.10:80 check
backend http_default
balance roundrobin
server httpdefault 10.10.10.10:80 check
############# HTTPS #################
frontend https *:443
mode tcp
acl https_test_acl path_beg -i /test
use_backend https_test if https_test_acl
default_backend https_default
backend https_test
mode tcp
balance roundrobin
server httpstest 10.10.10.10:443 check
backend https_default
mode tcp
balance roundrobin
server httpsdefault 10.10.10.10:443 check
Don't pay attention to ip 10.10.10.10 as I have hidden my orginal one. Could you please let me know why https is not working, http frontend/backend acl rules are working just fine.
cheers
Cause your https servers are in tcp mode (as they should be for ssl), so a layer 7 rule wont work.
for acl to work, disable tcp mode then set up ssl on the servers on your backend(hence the ssl keyword)
frontend https *:443
acl https_test_acl path_beg -i /test
use_backend https_test if https_test_acl
default_backend https_default
backend https_test
balance roundrobin
server httpstest 10.10.10.10:443 ssl check
backend https_default
balance roundrobin
server httpsdefault 10.10.10.10:443 ssl check
Alternatively instead of having to setup ssl on both your backend servers; use private IPS in the backend servers and make sure ports on the backend servers arent open to the world
backend https_test
balance roundrobin
server httpstest some_private_ip:8000 check