@Pranav wrote:

Hai i am new to Haproxy .I like to know whether there is any way to capture the entire request and response headers of requests in haproxy.

Thanks!

Posts: 1

Participants: 1

Read full topic

@gorazdzagar wrote:

I am observing a pattern of a large increase in value of hrsp_4xx without matching log entries.

Observing the stats I noticed that the hrsp_4xx metric is increased every 5-6 minutes by the value of 70+. In between these bumps, other values do have a corresponding 4xx log entry. When compared to the backend stats I can only match 4xx entries between these unexplained bumps.

How can I debug to determine what does each event causing the increase of hrsp_4xx relate to?

Example graph:

chart.png1833x362 43.6 KB

Posts: 1

Participants: 1

Read full topic

@apache1048 wrote:

This is my first time looking at Haproxy and I am trying to find out if it is possible to use IIS with the ISAPI_redirector to redirect to an HAProxy server and then to a tomcat server farm while maintaining sticky sessions. We currently do this with our applications and AJP13 without the HAProxy but need better load balancing and availability.
There's a lot of documentation out there but if anyone can say "Yes that works" (better still, provide any documentation) it may save me a month on Google!!

Thanks!

Posts: 1

Participants: 1

Read full topic

@zahid.k11 wrote:

Hi Team,

I'm trying to force https on my test website. I have the following config "haproxy > Nginx > Tomcat". However whenever I add "redirect scheme https if !{ ssl_fc }" to force https my login stops. Currently, both http and https are working well individually. The following is my configuration. I have separate frontend & backend for http and https. Not sure where I am going wrong. Please help!!

frontend http-test-80
bind 192.168.1.10:80
mode http
reqadd X-Forwarded-Proto:\ http

    redirect scheme https if !{ ssl_fc }

    acl host_test80 hdr(host) -i test.zahid.com
    use_backend static_test if host_test80

    acl host_test80 hdr(host) -i static1.test.zahid.com
    use_backend static_test if host_test80

backend static_test
balance roundrobin
option httpclose
option forwardfor
cookie static insert indirect nocache
option httpchk HEAD /LoadBalancer_HealthCheck.php HTTP/1.0
server stat-test 192.168.1.20:80 cookie mpstatic1 check

=================================================================================
frontend http-test-443
bind 192.168.1.10:443 ssl crt /etc/haproxy/certs/test.zahid.com/test.zahid.com.pem
reqadd X-Forwarded-Proto:\ https

    acl host_test443_secure hdr(host) -i test.zahid.com
    use_backend static_test_secure if host_test443_secure

    acl host_test443_secure hdr(host) -i static1.test.zahid.com
    use_backend static_test_secure if host_test443_secure

backend static_test_secure
balance roundrobin
option httpclose
option forwardfor
redirect scheme https if !{ ssl_fc }
cookie static insert indirect nocache
option httpchk HEAD /LoadBalancer_HealthCheck.php HTTP/1.0
server stat-test-secure 192.168.1.20:80 cookie mpstatic2 check

Best Regards,
Zahid

Posts: 2

Participants: 2

Read full topic

@Markvr wrote:

Hi,

When attempting to check the configuration of a file, I get a segmentation fault.

/ # haproxy -c -f haproxy.cfg
[WARNING] 162/142118 (8736) : Setting tune.ssl.default-dh-param to 1024 by default, if your workload permits it you should set it to at least 2048. Please set a value >= 1024 to make this warning disappear.
Configuration file is valid
Segmentation fault (core dumped)
/ # haproxy -v
HA-Proxy version 1.6.6 2016/06/26
Copyright 2000-2016 Willy Tarreau <willy@haproxy.org>

Has anyone seen this before? It makes it impossible to check the config before reloading haproxy. I can't find an issue tracker for HAproxy, so i don't know if this is a known issue.

HAproxy is running inside a Docker container.

It seems I'm not permitted to attach text files, so I'm afraid I'll paste the config here instead:

global
  log local-traffic-logger len 65535 local0
  log local-traffic-logger len 65535 local1 notice
  log-send-hostname
  maxconn 4096
  pidfile /var/run/haproxy.pid
  user haproxy
  group haproxy
  daemon
  stats socket /var/run/haproxy.stats level admin
  ssl-default-bind-options no-sslv3
  ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:DHE-DSS-AES128-SHA:DES-CBC3-SHA
defaults
  balance roundrobin
  log global
  mode http
  option redispatch
  option httplog
  option dontlognull
  option forwardfor
  timeout connect 5s
  timeout client 50s
  timeout server 50s
  timeout http-keep-alive 5s
  log-format "{\"timestamp\":\"%Ts\",\"backend\":\"%b\",\"bytes\":\"%B\",\"clientip\":\"%ci\",\"duration\":\"%Tt\",\"encoding\":\"json\",\"host\":\"%s\",\"method\":\"%HM\",\"query\":\"%HQ\",\"sls_service_level\":\"${SERVICE_LEVEL}\",\"sls_tag_0\":\"webfarm\",\"sls_tag_1\":\"front-end\",\"sls_tag_2\":\"haproxy\",\"sls_type\":\"apache_access\",\"sslcipher\":\"%sslc\",\"sslversion\":\"%sslv\",\"status\":\"%ST\",\"urlpath\":\"%HP\",\"urlquery\":\"%HQ\",\"useragent\":\"%hr\",\"webapp\":\"%b\"}"
listen stats
  bind :1936 ssl crt /run/secrets/cert0.pem
  mode http
  stats enable
  timeout connect 10s
  timeout client 1m
  timeout server 1m
  stats hide-version
  stats realm Haproxy\ Statistics
  stats uri /
  stats auth stats:Hope&Anchor
frontend port_443
  bind :443 ssl crt /run/secrets/
  reqadd X-Forwarded-Proto:\ https
  maxconn 4096
  capture request header Host len 50
  capture request header User-Agent len 100
  acl is_websocket hdr(Upgrade) -i WebSocket
  acl host_rule_2 hdr_reg(host) -i ^neptune-logs\..*\.foo\.ac\.uk$
  acl host_rule_2_port hdr_reg(host) -i ^neptune-logs\..*\.foo\.ac\.uk:443$
  use_backend SERVICE_webapps_neptune-logs if host_rule_2 or host_rule_2_port
  acl host_rule_4 hdr(host) -i finance-security.neptune-preprod.foo.ac.uk
  acl host_rule_4_port hdr(host) -i finance-security.neptune-preprod.foo.ac.uk:443
  use_backend SERVICE_webapps_finance-security if host_rule_4 or host_rule_4_port
  acl host_rule_6 hdr(host) -i finance-security.neptune-preprod.footol.ac.uk
  acl host_rule_6_port hdr(host) -i finance-security.neptune-preprod.footol.ac.uk:443
  use_backend SERVICE_webapps_finance-security if host_rule_6 or host_rule_6_port
  acl host_rule_8 hdr_reg(host) -i ^parking-permit-service\..*\.foo\.ac\.uk$
  acl host_rule_8_port hdr_reg(host) -i ^parking-permit-service\..*\.foo\.ac\.uk:443$
  use_backend SERVICE_webapps_parking-permit-service if host_rule_8 or host_rule_8_port
  acl host_rule_10 hdr(host) -i interface-catalogue.neptune-preprod.foo.ac.uk
  acl host_rule_10_port hdr(host) -i interface-catalogue.neptune-preprod.foo.ac.uk:443
  use_backend SERVICE_webapps_interface-catalogue if host_rule_10 or host_rule_10_port
  acl host_rule_12 hdr(host) -i interface-catalogue.neptune-preprod.footol.ac.uk
  acl host_rule_12_port hdr(host) -i interface-catalogue.neptune-preprod.footol.ac.uk:443
  use_backend SERVICE_webapps_interface-catalogue if host_rule_12 or host_rule_12_port
  acl host_rule_14 hdr_reg(host) -i ^azure-testing-webapp\..*\.foo\.ac\.uk$
  acl host_rule_14_port hdr_reg(host) -i ^azure-testing-webapp\..*\.foo\.ac\.uk:443$
  use_backend SERVICE_webapps_azure-testing-webapp if host_rule_14 or host_rule_14_port
  acl host_rule_16 hdr_reg(host) -i ^.*$
  acl host_rule_16_port hdr_reg(host) -i ^.*:443$
  use_backend SERVICE_webapps_out-of-service if host_rule_16 or host_rule_16_port
frontend port_80
  bind :80
  reqadd X-Forwarded-Proto:\ http
  maxconn 4096
  capture request header Host len 50
  capture request header User-Agent len 100
  acl is_websocket hdr(Upgrade) -i WebSocket
  acl host_rule_1 hdr_reg(host) -i ^neptune-logs\..*\.foo\.ac\.uk$
  acl host_rule_1_port hdr_reg(host) -i ^neptune-logs\..*\.foo\.ac\.uk:80$
  use_backend SERVICE_webapps_neptune-logs if host_rule_1 or host_rule_1_port
  acl host_rule_3 hdr(host) -i finance-security.neptune-preprod.foo.ac.uk
  acl host_rule_3_port hdr(host) -i finance-security.neptune-preprod.foo.ac.uk:80
  use_backend SERVICE_webapps_finance-security if host_rule_3 or host_rule_3_port
  acl host_rule_5 hdr(host) -i finance-security.neptune-preprod.footol.ac.uk
  acl host_rule_5_port hdr(host) -i finance-security.neptune-preprod.footol.ac.uk:80
  use_backend SERVICE_webapps_finance-security if host_rule_5 or host_rule_5_port
  acl host_rule_7 hdr_reg(host) -i ^parking-permit-service\..*\.foo\.ac\.uk$
  acl host_rule_7_port hdr_reg(host) -i ^parking-permit-service\..*\.foo\.ac\.uk:80$
  use_backend SERVICE_webapps_parking-permit-service if host_rule_7 or host_rule_7_port
  acl host_rule_9 hdr(host) -i interface-catalogue.neptune-preprod.foo.ac.uk
  acl host_rule_9_port hdr(host) -i interface-catalogue.neptune-preprod.foo.ac.uk:80
  use_backend SERVICE_webapps_interface-catalogue if host_rule_9 or host_rule_9_port
  acl host_rule_11 hdr(host) -i interface-catalogue.neptune-preprod.footol.ac.uk
  acl host_rule_11_port hdr(host) -i interface-catalogue.neptune-preprod.footol.ac.uk:80
  use_backend SERVICE_webapps_interface-catalogue if host_rule_11 or host_rule_11_port
  acl host_rule_13 hdr_reg(host) -i ^azure-testing-webapp\..*\.foo\.ac\.uk$
  acl host_rule_13_port hdr_reg(host) -i ^azure-testing-webapp\..*\.foo\.ac\.uk:80$
  use_backend SERVICE_webapps_azure-testing-webapp if host_rule_13 or host_rule_13_port
  acl host_rule_15 hdr_reg(host) -i ^.*$
  acl host_rule_15_port hdr_reg(host) -i ^.*:80$
  use_backend SERVICE_webapps_out-of-service if host_rule_15 or host_rule_15_port
backend SERVICE_webapps_out-of-service
  server webapps_out-of-service.1.mksakhmcijo97a39oiye6uaf5 10.0.0.5:8080 check inter 2000 rise 2 fall 3
backend SERVICE_webapps_parking-permit-service
  cookie SRV insert indirect nocache
  redirect scheme https code 301 if !{ ssl_fc }
  option httpchk GET /healthcheck HTTP/1.1\r\nHost:\ www\nUser-Agent:\ haproxy
  server webapps_out-of-service webapps_out-of-service:8080 check inter 2000 rise 2 fall 3 backup
  http-response add-header X-Service %b
  http-response add-header X-Backend-Name %s
  http-response add-header X-HAProxy-Container %H
  server webapps_parking-permit-service.1.hxpwjz49oyvy4g6dhyj63q3wu 10.0.0.24:8080 cookie webapps_parking-permit-service.1.hxpwjz49oyvy4g6dhyj63q3wu check inter 2000 rise 2 fall 3
backend default_service
backend SERVICE_webapps_neptune-logs
  cookie SRV insert indirect nocache
  redirect scheme https code 301 if !{ ssl_fc }
  option httpchk GET /healthcheck HTTP/1.1\r\nHost:\ www\nUser-Agent:\ haproxy
  server webapps_out-of-service webapps_out-of-service:8080 check inter 2000 rise 2 fall 3 backup
  http-response add-header X-Service %b
  http-response add-header X-Backend-Name %s
  http-response add-header X-HAProxy-Container %H
  server webapps_neptune-logs.1.5ywkz8y3ymu9yyay5bdj6gril 10.0.0.15:8080 cookie webapps_neptune-logs.1.5ywkz8y3ymu9yyay5bdj6gril check inter 2000 rise 2 fall 3
backend SERVICE_webapps_interface-catalogue
  cookie SRV insert indirect nocache
  redirect scheme https code 301 if !{ ssl_fc }
  option httpchk GET /InterfaceCatalogue/healthcheck HTTP/1.1\r\nHost:\ www\nUser-Agent:\ haproxy
  server webapps_out-of-service webapps_out-of-service:8080 check inter 2000 rise 2 fall 3 backup
  http-response add-header X-Service %b
  http-response add-header X-Backend-Name %s
  http-response add-header X-HAProxy-Container %H
  server webapps_interface-catalogue.1.0fas2vgvbd2y3t8p66ebsu7dh 10.0.0.23:8080 cookie webapps_interface-catalogue.1.0fas2vgvbd2y3t8p66ebsu7dh check inter 2000 rise 2 fall 3
backend SERVICE_webapps_azure-testing-webapp
  cookie SRV insert indirect nocache
  redirect scheme https code 301 if !{ ssl_fc }
  option httpchk GET /healthcheck HTTP/1.1\r\nHost:\ www\nUser-Agent:\ haproxy
  server webapps_out-of-service webapps_out-of-service:8080 check inter 2000 rise 2 fall 3 backup
  http-response add-header X-Service %b
  http-response add-header X-Backend-Name %s
  http-response add-header X-HAProxy-Container %H
  server webapps_azure-testing-webapp.1.2y8wh5yaw3rds58pes9x5l16o 10.0.0.19:8080 cookie webapps_azure-testing-webapp.1.2y8wh5yaw3rds58pes9x5l16o check inter 2000 rise 2 fall 3
backend SERVICE_webapps_finance-security
  cookie SRV insert indirect nocache
  redirect scheme https code 301 if !{ ssl_fc }
  option httpchk GET /Depts/Finance/secure/applications/security/healthcheck HTTP/1.1\r\nHost:\ www\nUser-Agent:\ haproxy
  server webapps_out-of-service webapps_out-of-service:8080 check inter 2000 rise 2 fall 3 backup
  http-response add-header X-Service %b
  http-response add-header X-Backend-Name %s
  http-response add-header X-HAProxy-Container %H
  server webapps_finance-security.1.21a0x3fwsu9jv1o4okf956f72 10.0.0.10:8080 cookie webapps_finance-security.1.21a0x3fwsu9jv1o4okf956f72 check inter 2000 rise 2 fall 3/

thanks,
Mark

Posts: 2

Participants: 1

Read full topic

@chomps wrote:

Hi All, I have an SSL enabled domain.com, that strips away any www. prefix and redirects to https. Unfortunately this only works if a request is as follows:
www.domain.com
https://domain.com

if a user however tries https://www. it sends it over https but does not strip away the www.
I'm only having this issue with www. if the initial request is over https. I would really appreciate any help ideas on this.
Regards

Posts: 2

Participants: 1

Read full topic

@jquinn wrote:

Hi,

I'm trying to use the http health check to check multiple backends, similar to this post:

I have the following configuration:

backend portal_http
mode http
http-request set-header X-Forwarded-Host dev002836.esri.com
option httpchk GET /arcgis/sharing/rest/content/items/382401ab2a924ad4ad0e93e071f09ddd
server dev005272.esri.com:7080 dev005272.esri.com:7080 check
server dev005273.esri.com:7080 dev005273.esri.com:7080 check

The problem is that the application expects a certain URL syntax when reaching that URL, (for example http://dev005272.esri.com:7080/arcgis/sharing/rest/content/items/382401ab2a924ad4ad0e93e071f09ddd) and will return a 301 if it doesn't get it. Using the URL in the configuration returns a 301. This works as long as the backend isn't down. If the backend is up and the URL is not accessible the response is still a 301, (following the redirect will of course return the 4XX or 5XX response code). The following health check configurations do work to get the 200 back:

option httpchk GET /arcgis/sharing/rest/content/items/382401ab2a924ad4ad0e93e071f09ddd HTTP/1.1\r\nHost:\ dev005272.esri.com:7080

or

option httpchk GET https://dev005272.esri.com:7080/arcgis/sharing/rest/content/items/382401ab2a924ad4ad0e93e071f09ddd

but the problem is it's not checking both endpoints. Is there a way to dynamically set the Host header depending on the backend receiving the request?

Thanks for any help.

Posts: 1

Participants: 1

Read full topic

@chomps wrote:

Hi,
I have a new issue now in that I have 86 domains and they all run on http only. I have a new domain that runs on https.
All of these domains start with a sub domain eg home.domain.com, home.domain1.com, home.domain2.com, etc
If a user types home.domain.com it forces over https which is correct and home.domain1.com does work over http, but if a user types home.domain1.com over https I get an invalid certificate error. I do get this because domain1.com does not have a certificate, but it seems as though it wants to apply home.domain.com 's certificate to all the other domains. I tried the following code in my https section, but does not seem to work:

acl homedot hdr_beg(host) -i home.
acl mainhome hdr(host) -i home.domain.com
redirect scheme http if homedot { ssl_fc } !mainhome

Any help would be appreciated.
Regards

Posts: 1

Participants: 1

Read full topic

@kwallander wrote:

Hi ,

I am trying to redirect from www.testhome.com to www2. There are many other subsites within testhome. I just want www.testhome to www2. How to match the exact URL ? The match should be just "www.testhome.com"

Sorry if this has been answered and I am a beginner.

Regards,

K

Posts: 1

Participants: 1

Read full topic

@5cell wrote:

I want to have a URL based redirection like the following pattern

/foo/any_number/bar

Example : /foo/12345/bar

I wrote an acl like this..but it is not working

acl foobar path_reg ^/foo/(.*)/bar

Could you please help on this ?

Posts: 1

Participants: 1

Read full topic

@Riazanov wrote:

Hello, sorry for the English, I need to redirect to a single server when this sentence is fulfilled, in http it is done, in tcp every one minute it asks me to login again:
mode http
acl spip_acl path_dir /ecrire
acl spip_acl path_beg -i /spip.php?page=login&url=%2Fecrire%2F

mode tcp:
acl spip_ssl req.ssl_sni -m sub -i /juntaelectoral/ # Directory
acl spip_ssl req.ssl_sni -m sub -i /ecrire #Direcotry
acl spip_ssl req.ssl_sni -m beg -i /spip.php?page=login&url=%2Fecrire%2F

Posts: 1

Participants: 1

Read full topic

@amir wrote:

Hi,
I would like to configure HAProxy for HTTP Listener to listen on ipv4
I would like the resolver to query the DNS for servername and to get the server IPV6
I would like HAProxy to connect to the resolved ip via ipv6
is it supported by HAproxy 1.6.3 ?
Can someone show sample of configuration ?

if i will add to the server line resolve-prefer ipv6 , it will query the resolver for ipv6 and connect to the server via ipv6 no matter that the bind is ip v4 ?

example
server s1 app1.domain.com:80 resolvers mydns resolve-prefer ipv6

Thanks
Amir

Posts: 2

Participants: 2

Read full topic

@dvelan wrote:

Team,
I would like to achieve queuing solution when specifying the "maxconn" in backend , seems maxconn is applicable only for concurrent requests.

my requirement is to allow only 100 users/requests and further connections/requests to be queued up and released when any of the connected connections are released from backend server. How do I acheive this?

should I set maxconn in frontend as well to restrcit and queue the connection?

HAPROXY 1.6.12
Red Hat Linux 7.2 (3.10.0)
backend server is "Weblogic 12c (12.1.3)"

below are my current setting

global
daemon
maxconn 4096
defaults
log global
mode http
option http-keep-alive
timeout connect 6000000ms
timeout client 6000000ms
timeout server 6000000ms
timeout queue 60000ms

listen stats
bind *:9090
mode http
stats enable
stats refresh 5s
stats realm Haproxy\ statistics
stats uri /
stats auth weblogic:weblogic1

frontend http-in

timeout client 5000ms

maxconn 8

bind *:8050
default_backend servers

backend servers
balance roundrobin
cookie prefix nocache
option prefer-last-server
server srv1 : check cookie srv1 maxconn 4

Regards,
Vel

Posts: 2

Participants: 2

Read full topic

@hamburml wrote:

Hi!

I switched from nginx to HAProxy for load balancing because HAProxy does support health-checks (yeah!).

Current config:

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user haproxy
    group haproxy
    daemon

defaults
    log     global
    mode    http
    option  httplog
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

frontend https-local
    bind :443
    option tcplog
    log global
    mode tcp
    use_backend local-default-http2
    default_backend bknd-down

backend local-default-http2
    mode tcp
    balance roundrobin
    option tcplog
    option ssl-hello-chk
    option httpchk HEAD /index.html HTTP/2.0\r\nHost:\ sub.domain.de\r\nUser-Agent:\ HAPROXY-CHECK
    server nginx_http2 sub.domain.de:5009 check check-ssl inter 1000 verify none

backend bknd-down
    # server errorfile?

HAProxy checks every second if the sub.domain.de:5009 server is reachable (I replaced the domain with sub.domain.de). When the server is down (or more the app isn't running so /index.html can't be requests) it just see a 'ERR_CONNECTION_CLOSED' error in chrome.

I thought I could simply add a default_backend to the frontend which is used when all the other servers available (it's only one in my example) are down. But that's not working.

How can I achieve that? When the local-default-http2 backend has no server available show an errorfile.

Thank you very much!

Posts: 1

Participants: 1

Read full topic

@amir wrote:

Hi,
Does HAProxy support a pool of connections (tcp /http) from client side ?

Posts: 2

Participants: 2

Read full topic

@dvelan wrote:

Dear,
When I connect to one PeopleSoft website URL, the haproxy stats display curr session as 4, how does it show as 4, when I hit a single URL.

but the URL from back-end will load images and logo in the login page,
Is this a reason?

Vel

Posts: 1

Participants: 1

Read full topic

@junaid wrote:

Hello Guys,

We want to generate separate error files as per http status codes. please suggest me, here is the link https://gist.github.com/junaid-malik-confiz/88e9fe4127cd524148bfc1c7a5167374 of my haproxy configurations.

Regards,
Junaid

Posts: 4

Participants: 2

Read full topic

@mahan wrote:

Has any of you guys been able to successfully do a separate HTTP-Request from a HAProxy Lua "http-req" action handler?

Overview:
In my setup I have a HAProxy with the frontends facing the internet and the backends pointing to HTTP/Rest-services on internal servers.

I'm trying to create a HTTP header rewrite mechanism in HAProxy (with Lua) that automatically translates opaque identification tokens (similar to random session strings), coming as headers from the internet requests, to JWT-tokens as Authorization: Bearer

Rewriting a header with a Lua action is easy enough following the docs:
$ cat /etc/haproxy/haproxy_test.lua

counter = 0

core.register_action("hello_world", {"http-req"}, function(txn)
        txn:Info("Hello world")
        txn.http:req_del_header("MH-Header")
        counter = counter + 1
        txn.http:req_add_header("MH-Header", "1337" .. counter)
end)

What I want to do with my mechanism is:

1. Get the value of the opaque identification token OIT from an incoming HTTP header.
2. Make a completely separate HTTP request from a HAProxy Lua script to an Identification Service that can translate the OIT to a JWT-Token
3. Use the resulting JWT-Token (from #2) and insert it as a header into the request making it available to the target service(s) in the backend.

My problem is that I cannot get the HTTP-request to work from the HAProxy Lua environment.

$ cat /etc/haproxy/haproxy_test2.lua


http = require("socket.http")
counter = 0

core.register_action("hello_world", {"http-req"}, function(txn)

        txn:Info("Hello world1")
        local resp = {}
        local r, c, h, s = http.request{
                url = "http://localhost:8002/index.html",
                sink = ltn12.sink.table(resp)
                --create = core.tcp
        }

        txn:Info("Hello world2")
        txn.http:req_del_header("MH-Header")
        counter = counter + 1
        txn:Info("Hello world3")
        txn.http:req_add_header("MH-Header", "1337 " .. counter .. r)
        txn:Info("Hello world4")
end)

This simply does not work.

I'm no experienced Lua programmer but i managed to get a similar Lua program to work from the command line, outside the HAProxy environment, like this (uses https://github.com/kikito/inspect.lua):

$ cat test3.lua

inspect = require('inspect')
http = require("socket.http")

function a()
        local resp = {}
        local r, c, h, s = http.request{
                url = "http://localhost:8002/",
                sink = ltn12.sink.table(resp)
        }
        print(r)
        print(c)
        print(inspect(h))
        print(s)
        print(inspect(resp))
end

a()

I guess this might have to do with the non-blocking sockets and Lua environment when running inside HAProxy, but I'm currently stuck.

Posts: 1

Participants: 1

Read full topic

@chintanvpatel wrote:

Hello,

I'm using SSL termination in Haproxy. HAproxy is handling connections from multiple hosts on port 443. We have different c ertificates for different hosts. So I choose to use crt-list in ssl directive to provide mapping file of host and it's certificates.

Here is haproxy.cfg and crt-list.txt

frontend https-in
bind 0.0.0.0:443 ssl crt-list /etc/haproxy/crt-list.txt

and crt-list.txt

host1 /path/to/foo.pem
host2 /path/to/bar.pem

When I come from host1 or host2 then it takes correct configuration. but when i come from other domain for example host3, It takes certificates of host1. I don't know It should be happen or not.

I think i can redirect to http if it host is not exist in crt-list.txt file but I don't know how to accomplish that. or if anyone has suggestion on what is the correct way to handle the request then it would be welcomed.

Thanks & Regards,
Chintan Patel

Posts: 2

Participants: 2

Read full topic

@dvelan wrote:

I have enabled stats for gui, checking session for front-end, the count of "curr session" is always high. Meaning when I just use a single website URL(http://haproxywebserver: haproxy listen port/shprd/signon.html)from IE browser , instead of displaying 1, it display 5

Any reason? I am using mode http.
Due to that, I am unable to get the correct count of HTTP connections from different user machine and browser.

Am I missing any configuration?

Haproxy 1.6.12
RHEL 7.2
Weblogic 12c back-end

Regards,
Vel

Posts: 3

Participants: 2

Read full topic