@chomps wrote:

Hi All,
I have previously, in my infinite wisdom, included HSTS in my HAP config with the default max age. I am using HAP 1.5

Config was as follows:
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload

I have realised now that this is causing problems for site that are still in development, etc.
I have many clients now trying to hit newsub.example.com and HAP is forcing HSTS because it is saved in their browser. I know this can be removed in your browser as a manual process but for me to get hold of every past client and get them to do this is just not possible. My question now is how do I remove this. I would like to confirm if this is possible as my reasoning is, ‘If HAP can insert HSTS domain in the browser, then it can remove it too’

I am thinking that using an ACL to check the header could work and then force removal of the domain in the browsers something like:
acl hsts_exists res.hdr_cnt(Strict-Transport-Security) gt 0
rspdel Strict-Transport-Security:\ max-age=31536000 if hsts_exists ;To delete the HSTS

There is so much documentation on how to add HSTS on the web and the browser saves this in its cache files but strangely no documentation to reverse this. The only docs there are is about manual removal in chrome, firefox, etc

Your input would be very much appreciated,
Regards

Posts: 3

Participants: 2

Read full topic

@dani wrote:

Dear list

I’ve been playing around with HAProxy. A common problem when running multidomain http hosting on a single WAN ip is that the webservers behind the firewall only can see the gateway ip.
What I did understand from HAProxy is that transparent mode supported (http sever sees real source address of client). A colleage of mine disagreed that this is hardly possible.
Is there a reference configuration available (if possible also with multidomain ssl example).

Best Dani

Posts: 1

Participants: 1

Read full topic

@Bestivus wrote:

Hey all, first post so bear with me. In theory this should be an easy issue to fix, but I’ve been wracking my brain for a few days with no progress.

In case you’re not familiar, Guacamole is a web-based client that allows RDP, SSH, and VNC connections through your browser. In my particular case, I’m running Guac 0.9.12 on a CentOS 7 install. On that server is an Nginx reverse proxy to rewrite the native URL path from “/guacamole” to just “/” and to handle SSL encryption. On the local network, everything works as expected - “https://guac.domain.com” works as you’d expect.

On the HAProxy side, it is running on a pfSense VM and is version 1.7.4. It is currently configured as a shared frontend for three other backends. pfSense has one public IP, so it routes to those backends based on the requested URL, i.e. “https://sonarr.domain.com” redirects to the backend Sonarr server.

I made a new frontend and backend set up exactly like the others for Guacamole, but when attempting to access the site from the internet, Chrome spins around saying “Establishing secure connection…” and eventually times out.

I’ll spare you the details on what I’ve tried thus far since nothing has worked. I’d prefer to start fresh with the troubleshooting haha. I’m almost 100% sure its possible since I’ve read topics elsewhere that they have Guac running behind HAProxy, but I’m completely lost. Any help would be appreciated!

Posts: 1

Participants: 1

Read full topic

@garrylachman wrote:

Hi,
I got some issue, when i send the request using cURL its sends the auth via Proxy-Authorization header.
I checked the code and found that HaProxy expect Authorization header:

00000000:front-ctr-GB-10.accept(000a)=17f0 from [77.139.198.123:35447]
00000000:front-ctr-GB-10.clireq[17f0:ffffffff]: GET http://httpbin.org/headers HTTP/1.1
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: Host: httpbin.org
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:54.0) Gecko/20100101 Firefox/54.0
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: Accept-Language: en-US,en;q=0.5
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: Accept-Encoding: gzip, deflate
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: Authorization: Basic c3M6c3M=
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: Connection: keep-alive
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: Upgrade-Insecure-Requests: 1
00000000:front-ctr-GB-10.clihdr[17f0:ffffffff]: Cache-Control: max-age=0
smp_fetch_http_auth
smp_fetch_http_auth - contiune
Auth for stream 0x26902b0: 0
get_http_auth: txn->flags: 671088640, TX_USE_PX_CONN:1073741824
get_http_auth: h: Authorization, len: 13
get_http_auth txn->auth.user: ss, txn->auth.pass: sssmp_fetch_http_auth - contiune

I think its better to check both headers in get_http_auth(struct stream *s)
here:
if (txn->flags & TX_USE_PX_CONN) {
h = “Proxy-Authorization”;
len = strlen(h);
} else {
h = “Authorization”;
len = strlen(h);
}

Posts: 1

Participants: 1

Read full topic

@jsotoca wrote:

Hello,

I’m running Nextcloud behind HAproxy 1.5 on a CentOS 7 virtual machine. All seems to work fine except when I try to download some large files. The download starts but randomly the downstream drops to 0Kbps. Some times it drops when it has downloaded 1MB and someother times drops when the download is more than 100MB. I couldn’t find any correlation about when the download drops nor anything in logfiles.
Sometimes the downloads works as expected, I succesfully downloaded files bigger than 2GB. It makes a mess and I don’t know where to look for.

any suggestion?

I post some details about the server:
haproxy.conf
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
tune.ssl.default-dh-param 2048
tune.ssl.cachesize 1000000
daemon
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
stats socket /var/lib/haproxy/stats

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 30s
timeout queue 1m
timeout connect 30s
timeout client 5000
timeout server 30s
timeout http-keep-alive 30s
timeout check 30s
maxconn 30000

frontend http
bind 0.0.0.0:80
option http-server-close
option forwardfor
option http-keep-alive

#ACLs
acl host_cloud_cmp hdr_beg(host) -i cloud.company.com

use_backend cloud_cmp if host_cloud_cmp

frontend https
option http-keep-alive
http-response set-header Strict-Transport-Security max-age=31536000;\ includeSubdomains;\ preload
http-response set-header X-Frame-Options DENY
http-response set-header X-Content-Type-Options nosniff
bind 0.0.0.0:443 ssl crt /etc/haproxy/wildcard.company.com.pem
mode http
reqadd X-Forwarded-Proto:\ https
#ACLs
acl host_cloud_cmp hdr_beg(host) -i cloud.company.com

use_backend cloud_cmp-https if host_cloud_cmp

backend cloud_cmp
redirect scheme https if !{ ssl_fc }

backend cloud_cmp-https
mode http
balance roundrobin
option http-server-close
option http-pretend-keepalive
option forwardfor header X-Real-IP
cookie NEXTCLOUD insert indirect nocache
stick-table type ip size 200k expire 30m
stick on src
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;\ preload;
server NEXTCLOUDSERVER NEXTCLOUDSERVER:80 check cookie NEXTCLOUDSERVER

haproxy -v

HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau

uname -ir

3.10.0-514.16.1.el7.x86_64 x86_64

4CPU, 4GB of RAM

Low CPU Usage
09:20:01 PM CPU %user %nice %system %iowait %steal %idle
09:30:01 PM all 0.21 0.01 0.05 0.00 0.00 99.73
09:40:01 PM all 0.21 0.01 0.05 0.00 0.00 99.72
09:50:02 PM all 0.22 0.01 0.06 0.00 0.00 99.72
10:00:01 PM all 0.21 0.01 0.05 0.00 0.00 99.72
10:10:01 PM all 0.21 0.01 0.06 0.00 0.00 99.72
10:20:01 PM all 0.21 0.01 0.06 0.00 0.00 99.72
10:30:01 PM all 0.21 0.01 0.06 0.00 0.00 99.73
10:40:01 PM all 0.21 0.01 0.06 0.00 0.00 99.72
10:50:01 PM all 0.21 0.01 0.06 0.00 0.00 99.72
11:00:01 PM all 0.21 0.01 0.06 0.00 0.00 99.73
11:10:01 PM all 0.22 0.01 0.06 0.00 0.00 99.72
11:20:01 PM all 0.21 0.01 0.06 0.00 0.00 99.72
11:30:01 PM all 0.21 0.01 0.06 0.00 0.00 99.72
11:40:01 PM all 0.22 0.01 0.06 0.00 0.00 99.72
11:50:01 PM all 0.21 0.01 0.05 0.00 0.00 99.73

Posts: 1

Participants: 1

Read full topic

@stevepe wrote:

Hi… what are Pro & Con for Long time out?
defaults
log global
timeout server 5s
timeout connect 5s
timeout client 5s

Vs.

defaults
log global
timeout server 50000s
timeout connect 5000s
timeout client 50000s

Posts: 1

Participants: 1

Read full topic

@Trigve wrote:

Hi,
I’m using HA-Proxy version 1.7.8 as HTTPS termination proxy in a VPN.

After upgrading from 1.5.7 (I think) to this new version (1.7.8), I’ve got a lot of “SSL handshake failure” from the same address every 5 seconds. So I’ve “dumped” the SSL communication and it has only this:
1 0.0013 (0.0013) C>S TCP FIN
1 0.0014 (0.0001) S>C TCP FIN

So to me it looks like that some server is “pinging” haproxy. I’ve been able to simulate it by connecting to the haproxy HTTPS socket and then immediately dropping it. The same error in the log appeared from my IP.

So it looks like it is harmless (but will find out what is this “pinging” address exactly next week, as the main infrastructure guy is on the vacation) and is only polluting my logs. Could I somehow disable logging it from this particular address or disable all “empty” requests? I already have “option dontlognull”, but no success.

Thank You

Posts: 2

Participants: 1

Read full topic

@gettaloviasubito wrote:

Hi there,

thanks for you fantastic software.

I have 2 applications server (middleware) where the software listen on different socket for different channel, so the result is that i have 120 different port open from 10000 to 60000

I want to put an HAproxy on head of that, and i google for solution…

i put together something like this:

frontend FRTEST
bind xxx.yyy.zzz.126:10000-60000
mode tcp
default_backend BKTEST

backend BKTEST
stick store-request src
stick-table type ip size 200k expire 120m
option persist
option redispatch
balance roundrobin
server as1 xxx.yyy.zzz.127 (no port means the same port right?)
server as2 xxx.yyy.zzz.128

where obv xxx.yyy.zzz.126 is my VIP, and xxx.yyy.zzz.127,128 are my as

is the correct solution?

what is the option like fowardfor for tcp balancing?

thanks!!

Posts: 4

Participants: 2

Read full topic

@klic2rohit wrote:

Hello,

I am using HAproxy 1.5.8 version for http and now try to add websocket support.

I am testing using http://www.websocket.org/echo.html site for websocket connection.

My websocket connection connects to the server but after around few seconds it shows disconnected.

My setup is like this:

AWS ALB -----> HAproxy ------> ec2 with web app docker container

I have enabled the session stickiness attribute on AWS ALB.

haproxy conf:

defaults
mode http
timeout connect 5000ms
timeout client 5000ms
timeout server 50000ms

timeout tunnel  3600s
timeout client-fin 30s
timeout http-keep-alive  1s

option          httplog
option          redispatch
retries         3
log             global

frontend public
bind 0.0.0.0:80
option dontlognull
option forwardfor
maxconn 2500
monitor-uri /haproxy_health
option httplog
# remove proxy header
http-request del-header Proxy

## **WS routing based on Host header
acl host_ws hdr_beg(Host) -i ws.
use_backend meteoguard-task-list-service-eis if host_ws

## **WS routing based on websocket protocol header
acl hdr_connection_upgrade hdr(Connection)  -i upgrade
acl hdr_upgrade_websocket  hdr(Upgrade)     -i websocket
use_backend meteoguard-task-list-service-eis if hdr_connection_upgrade hdr_upgrade_websocket

################################################################################################
backend meteoguard-task-list-service-eis
balance roundrobin
option tcplog
timeout connect 30s
timeout client 30s
timeout server 30s
option forwardfor
timeout tunnel 60m
## websocket protocol validation
acl hdr_connection_upgrade hdr(Connection) -i upgrade
acl hdr_upgrade_websocket hdr(Upgrade) -i websocket
acl hdr_websocket_key hdr_cnt(Sec-WebSocket-Key) eq 1
acl hdr_websocket_version hdr_cnt(Sec-WebSocket-Version) eq 1
http-request deny if ! hdr_connection_upgrade ! hdr_upgrade_websocket ! hdr_websocket_key ! hdr_websocket_version

option httpchk  GET /health
http-check expect status 200

server ws1 10.3.1.2:31402 check

Posts: 1

Participants: 1

Read full topic

@building39 wrote:

I recently changed ISPs in order to take advantage of much higher speeds. The downside is that the new ISP has a double NAT between me and the internet, which has effectively eliminated any possibility of doing port forwarding like I did with the original service. Previously, I simply forwarded ports 443 and 902 from my DSL modem/router to the machine hosting my VMs, and everything was groovy. Now, that’s not possible.

So, I bought a cheap Linode instance, loaded it up with OpenVPN-AS and HAProxy. OpenVPN is working beautifully, and I have successfully configured HAProxy to forward SSH and HTTP. But I can’t seem to get it to properly forward the ports for VMWare server. Here’s what I have so far:

frontend vmware-frontend
mode tcp
bind 1.2.3.4:8443 ssl crt /etc/ssl/private/my.pem
default_backend vmware_backend

frontend vmwareauthd
mode tcp
bind 1.2.3.4:902 ssl crt /etc/ssl/private/my.pem
default_backend vmwareauthd_backend

backend vmware_backend
mode tcp
server theserver 172.27.232.61:4443 weight 1 maxconn 10240 check

backend vmwareauthd_backend
mode tcp
server theserver 172.27.232.61:902 weight 1 maxconn 10240 check

I’m confident that HAProxy is up for the job - but I’m struggling with how to configure it to do so. With the above configuration, I get an “HTTP error 200” - which is odd, since 200 is “OK”.

Any ideas on how I can fix this?

Thanks!

Posts: 6

Participants: 2

Read full topic

@marcingiedz wrote:

Hi there,

this is my haproxy version:
haproxy -vv
HA-Proxy version 1.5.18 2016/05/10

We’ve got 2 apache backends accepting https only requests. Our business app runnig on apache must record original Clients IP but instead saves balancer IP. Is there any way for ttps mode to forward client’s IP to webserver ?

Thx
Marcin

Posts: 1

Participants: 1

Read full topic

@yong wrote:

Hi, all

I have two domain name test1 and test2
test1 needs to verify client certificate,
test2 is a normal https website

here’s the config for test1, but I don’t know how to merge test2 to it becase test2 does not need to verify client certificate, seems ‘verify required’ is a global option, how can I just let test1 to verify client certificate? Thanks for the help (I’m new to HAProxy, please correct me if anything wrong in my config, thanks a lot.).

frontend http_in
        bind *:80
        bind *:443 ssl crt /etc/ssl/certsforhaproxy/test1.pem crt /etc/ssl/certsforhaproxy/test2.pem ca-file /etc/ssl/certsforhaproxy/ca.pem verify required
        redirect scheme https if !{ ssl_fc }
        acs host_test1 hdr_beg(host) test1.demo.com
        acs host_test2 hdr_beg(host) test2.demo.com
        use_backend test1_back if host_test1
        use_backend test2_back if host_test2

backend test1_back
        mode http
        default-server inter 2s fall 2 rise 2
        server node1 10.10.0.1:1234 check port 1234
        server node2 10.10.0.2:1234 check port 1234
        server node3 10.10.0.3:1234 check port 1234

backend test2_back
        mode http
        default-server inter 2s fall 2 rise 2
        server node1 10.10.0.1:2345 check port 2345
        server node2 10.10.0.2:2345 check port 2345
        server node3 10.10.0.3:2345 check port 2345

Posts: 2

Participants: 2

Read full topic

@Chek69 wrote:

Hello every body,

can you tell where i can find the healthchecks logs ?
Thanks in advance.

Posts: 1

Participants: 1

Read full topic

@devnull82 wrote:

Hello,
I have an haproxy configuration with 2 frontend (http and https) pointing to two different backends (http and https), but having exactly the same nodes.

As it seems I can’t configure an healthy check on https, I’d like to consider down even on https the node that fails the check on http.

Is it possible to do it in some way?

Thanks!

Posts: 2

Participants: 2

Read full topic

@Chek69 wrote:

Hello,

Can you tell me how to upgade my haproxy version from 1.5 to 1.7 ( Running on Centos 7 ) without losing my configuration.

Thanks in advance.

Posts: 1

Participants: 1

Read full topic

@prasanna wrote:

Hi,
I just want to know if there is a possibility to achieve the following in haproxy.
I have a few routes that I have stored in a map file.
Based on the regex matching , if it matches a specific route I want to redirect to another route.
Example::
route_map.map
So these numbers can be any numbers…so basically match a regex, get the id, and give the corresponding output with the id.
/abc/tickets/1 —> /a/tickets/1
/def/users/20 —> /a/users/20

I would like to achieve this.Tried using map_regm function.But could not find any example.

http-request redirect code 302 location %[path,map_regm(/route_map.map)]

Thankyou.

Posts: 1

Participants: 1

Read full topic

@ngbranitsky wrote:

The HAProxy 1.7 manual says:
“Using “reqadd”/“reqdel”/“reqrep” to manipulate request headers is discouraged in newer versions (>= 1.5).”

I’ve copied the “reqadd” statements from my HAProxy 1.5.18 configuration to HAProxy 1.7.8 and now want
to update them:

acl path_licd  path_beg /licenseDetails
acl path_admin path_beg /admin /staff
acl path_data  path_beg /datamart
acl path_root  path /
reqrep ^([^\ \t]*)[\ \t]/(.*)\ (.*) \1\ /datamart/licenseDetails.do\ \3 if path_licd
reqrep ^([^\ \t]*)[\ \t]/(.*)\ (.*) \1\ /datamart/\2/languageChoice.do\ \3 if path_admin
reqrep ^([^\ \t]*)[\ \t]/\ (.*) \1\ /datamart/wiLogin.do\ \2  if path_data
redirect location /datamart/wiLogin.do if path_root

I assume the path_licd statement becomes:
http-request set-path /datamart/licenseDetails.do\ %[query] if path_licd

I assume the path_admin statement becomes:
http-request set-path /datamart/%[path]/languageChoice.do\ %[query] if path_admin

I assume the path_data statement becomes:
http-request set-path /datamart/wiLogin.do\ %[query] if path_data

I assume the redirect statement becomes:
http-request redirect /datamart/wiLogin.do if path_root

Are my “translations” correct?

Posts: 1

Participants: 1

Read full topic

@amir wrote:

Hi,
I am using HAproxy 1.6.3.
How do I configure DNS resolution to be every 1 second while keeping the health check interval on 30 seconds?
I have tried to change the “hold” parameter to 1s , 30s but failed to get the desired behavior.
Please advise
Thanks
Amir

Posts: 1

Participants: 1

Read full topic

@sheetzdw wrote:

we are using HAProxy running on a vm. Is it possible to have 2 copies one running as a hot spare in case the other goes down? Feel free to point me to a document on how to configure this if one exists

Posts: 1

Participants: 1

Read full topic

@arash wrote:

Hello

I want to edit response json from upstream website something like sub_filter in nginx , i searched and find rspirep , rsprep but its not working , any suggestion for me ?

Posts: 1

Participants: 1

Read full topic