@wilnzi wrote:

Hi,
Helps please.

I’m trying to configure this architecture.
Frontend with https and redirection with http in backend.
But when i make it, i always have this error message :
Forbidden
You don’t have permission to access /new/new/ on this server.

But this directory exits in the two backends servers and have 0777 as chmod.

My configuration :

frontend www-http
bind *:80
mode http
option httpclose
option forwardfor

redirect prefix https://www.example.com if { hdr(host) -i example.com }
redirect prefix https://www.example.com if { hdr(host) -i www.example.com }

acl exampleACL hdr_dom(host) -i example.com
use_backend exampleBackend if exampleACL
default_backend defaultBackendServer

frontend www-https
bind *:443 ssl crt /etc/ssl/certs/adwa/certificate.pem
mode http
option httpclose
option forwardfor

redirect prefix https://www.example.com if { hdr(host) -i example.com }

acl exampleACL hdr_dom(host) -i example.com
use_backend exampleBackend if exampleACL
default_backend defaultBackendServer

backend defaultBackendServer
mode http
balance source
server SRV-WEB-1 192.168.2.13:80 check
server SRV-WEB-2 192.168.2.14:80 check

backend exampleBackend
mode http
redirect scheme http code 301 if !{ ssl_fc }
balance source
acl no_redir url_beg /new/new/
reqirep ^([^\ :])\ /(.) \1\ /new/new/\2 if !no_redir
server SRV-WEB-1 192.168.2.13:80 check
server SRV-WEB-2 192.168.2.14:80 check

Posts: 3

Participants: 2

Read full topic

@LucasRey wrote:

Hello community,
I tried the simple HAProxy configuration (below) and it works perfect for now. But I need something different for my setup. Is it possible to receive packets to frontend and route them to multiple backend sessions? I mean, a request arrive to frontend, and the same packets are routed to all configured backend servers. Thank you.

frontend server1
bind *:6000
bind *:6001
bind *:6002
bind *:6003
mode tcp
default_backend server1
timeout client 30m

backend server1
mode tcp
balance roundrobin
server srv01 192.168.10.7:5000
server srv02 192.168.10.7:5001
timeout connect 10s
timeout server 30m

Posts: 1

Participants: 1

Read full topic

@runnikri wrote:

Hi Team,

I have the following frontend and backend settings in my haproxy configuration file. Even though haproxy redirection to the backend URL it is failing to connect to the backend server.

Error detail :-Unable to connect to Ambari Server. Confirm Ambari Server is running and you can reach Ambari Server from this machine.

#---------------------------------------------------------------------

main frontend which proxys to the backends

#---------------------------------------------------------------------

frontend main *:80

acl url_dcos path_beg /dcos
acl url_ambari path_beg /ambari

use_backend dcos-backend if url_dcos
use_backend ambari-backend if url_ambari

#---------------------------------------------------------------------

round robin balancing between the various backends

#---------------------------------------------------------------------
backend dcos-backend
reqrep ^([^\ ])\ /dcos(/.) \1\ \2
cookie SERVERID insert indirect nocache
{% for master in groups[‘master-nodes’] %}
server dcos_master{{ loop.index0 }} {{ hostvars[master].ansible_host }}:80 check cookie dcos_master{{ loop.index0 }}
{% endfor %}

backend ambari-backend
reqrep ^([^\ ])\ /ambari(/.) \1\ \2
cookie SERVERID insert indirect nocache
{% for mgmt in groups[‘management-nodes’] %}
server ambari_server{{ loop.index0 }} {{ hostvars[mgmt].ansible_host }}:8080 check cookie ambari_server{{ loop.index0 }}
{% endfor %}

Please Guide

Posts: 1

Participants: 1

Read full topic

@sean.hogan wrote:

HI everyone. Perhaps my expectations are incorrect, but I figured haproxy would unbind from the listening port when a “tcp-request connection reject” is in place and the condition is currently true.

My use case is that I have five backend servers and one haproxy listening on port X. When all five backends are down (such as for maintenance), I had hoped this rule:

tcp-request connection reject if { nbsrv(xyz) lt 1 }

would cause haproxy to stop listening. Unfortunately I have to deal with some exceptionally stupid software on the other end that uses a “dump and go” policy whereby it connects and just blindly dumps its data. If it connects successfully it assumes the data was delivered. I know, it is tremendously bad behaviour but unfortunately not under my control.

Is my expectation correct? netstat shows haproxy still listening and I can connect with telnet, though it disconnects as soon as I send data.

Thanks,
Sean

Posts: 2

Participants: 1

Read full topic

@hpasbor wrote:

In a MultiTenanat application I would like to have the possibility to configure HAProxy at run time adding (and removing) HTTPS Frontend ports (one per Tenant) with different IPAddrress and URL/Domain .
Each front end port will communicate with two backend ports with two Httpd/Apache internal instances (for load balancing) shared among all Tenants.
I should give (dynamically adn automatically from an internal PKI system) a different X.509 certificate to each front end port, so each front end port will use its own certificate for HTTPS. Of course, in order to manage dynamic creation/deletion of Tenants, I need to reconfigure HAProxy (creating new port and providing new certificates for each ) in hitless way.
What do you think about this configuration.? Do you see it as feasible? Any impediment or limitation? Problems to manage tens of Tenants (frontend) ?

Posts: 1

Participants: 1

Read full topic

@tamal wrote:

I recently came across https://raymii.org/s/tutorials/haproxy_client_side_ssl_certificates.html article. I understand most of it. I am confused by the syntax:

backend expired
mode http
option http-server-close
redirect location /certificate-expired.html if { ssl_c_verify 10 } ! { path /certificate-expired.html }
redirect location /certificate-revoked.html if { ssl_c_verify 23 } ! { path /certificate-revoked.html }
redirect location /other-certificate-error.html unless { ssl_c_verify 0 } ! { path //other-certificate-error.html }
server helpdesk3 10.20.20.30:80 check

What does these ! means above?

Posts: 2

Participants: 2

Read full topic

@PhilPhonic wrote:

Hi,

I have a problem setting up h2 support.
I redirect to multiple backends depending on sni:

• www.example.com
• mail.example.com

When I open www example com the page loads just fine and is served via h2. After that, I try to load mail example com. But it loads www example com. After pressing [CTRL] + [F5], it loads mail example com via h2.

I’m pretty sure, I’m just missing one little thing, but can’t figure out what it is.

This is my config:

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    log         /dev/log      local0
    log         /dev/log      local1 notice

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4096
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

    # ssl config
    ssl-default-bind-options no-sslv3 no-tls-tickets
    ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
    tune.ssl.default-dh-param 2048
    tune.ssl.cachesize        100000
    tune.ssl.lifetime         600
    tune.ssl.maxrecord        1460

    # eigenen hostname statt "localhost" im log
    log-send-hostname

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode    tcp
    log     global
    option  httplog
    option  dontlognull
    option  http-server-close
    option  forceclose
    option  forwardfor
    option  redispatch
    retries 1
    timeout http-request      10s
    timeout queue             1m
    timeout connect           10s
    timeout client            1m
    timeout server            1m
    timeout http-keep-alive   10s
    timeout check             10s
    timeout tunnel            15m
    timeout client-fin        30s
    maxconn 4096

listen stats
    bind :::8443 v4v6 ssl crt /etc/haproxy/cert/
    mode http
    stats enable
    stats hide-version
    stats realm secured
    stats auth <user>:<password>
    stats uri /
    stats refresh 5s

frontend fe_http
    bind :::80 v4v6
    mode http

    redirect prefix https://example.com code 302 if { hdr(Host) -i example.com }
    redirect prefix https://www.example.com code 302 if { hdr(Host) -i www.example.com }
    redirect prefix https://www.example.com code 302 if { hdr(Host) -i <ipv4> }
    redirect prefix https://www.example.com code 302 if { hdr(Host) -i [<ipv6>] }
    redirect prefix https://mail.example.com code 302 if { hdr(Host) -i mail.example.com }

frontend fe_https
    bind :::443 v4v6 ssl crt /etc/haproxy/cert/ alpn h2,http/1.1
    mode tcp

    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }

    acl host_www.example.com ssl_fc_sni -i www.example.com
    acl host_mail.example.com ssl_fc_sni -i mail.example.com
    acl host_non_www ssl_fc_sni -i example.com

    acl proto_h2 ssl_fc_alpn -i h2

    use_backend be_www if host_www.example.com !proto_h2
    use_backend be_www_h2 if host_www.example.com proto_h2

    use_backend be_mail if host_mail.example.com !proto_h2
    use_backend be_mail_h2 if host_mail.example.com proto_h2

    use_backend be_dummy_www if host_non_www

backend be_www
    balance roundrobin
    mode http
    server www.example.com 127.0.0.1:81 check

backend be_www_h2
    balance roundrobin
    mode tcp
    server www.example.com 127.0.0.1:82 check send-proxy

backend be_mail
    balance roundrobin
    mode http
    timeout server 3660s
    timeout client 3660s
    server mail.example.com 127.0.0.1:83 check

backend be_mail_h2
    balance roundrobin
    mode tcp
    timeout server 3660s
    timeout client 3660s
    server mail.example.com 127.0.0.1:84 check send-proxy

frontend fe_dummy_www
    bind 127.0.0.1:8080
    mode http
    redirect prefix https://www.example.com code 302

backend be_dummy_www
    mode http
    server haproxy_www_dummy 127.0.0.1:8080

I hope someone can help Image may be NSFW.
Clik here to view.

Thanks in advance!
Phil

Posts: 5

Participants: 2

Read full topic

@albanosdes wrote:

Hello there.
I’m using HaProxy reverse proxy with https for a few months now.
Here is my conf :

---

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
option forwardfor except 127.0.0.0/8
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

############################################
frontend port80-redirect
mode http
bind 192.168.10.5:80
redirect scheme https
############################################
frontend port443-relay
bind 192.168.10.5:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend backendgogs if { req_ssl_sni -i mydomain1 }
use_backend backendmulticraft if { req_ssl_sni -i mydomain2 }
use_backend backendwigo if { req_ssl_sni -i mydomain3 }
default_backend backendgogs
############################################
backend backendgogs
mode tcp
server vm-git ip1:443 maxconn 32

backend backendmulticraft
mode tcp
server vm-multicraft ip2:443 maxconn 32

backend backendwigo
mode tcp
server vm-wigo ip3:443 maxconn 32

---

Here is my question :
One of my web interface (mydomain3, the last backend) does not have an authentification system.
As I know it is possible to have an basic authentification with HaProxy, but i’m not sure about how it works.
I tried to add an userlist :

userlist Admins
group AdminGroup users admin
user admin password 1d4cdafaac5871387085b898f4ff81be

And then add this to the backend :

acl AuthOkay_UsersAuth http_auth(Admins)
http-request auth realm Admins if !AuthOkay_Admins

But HaProxy fail to start, so I guess something is wrong.

If someone could enlight me, I would be grateful Image may be NSFW.
Clik here to view.

Posts: 2

Participants: 2

Read full topic

@Mr.Poxy wrote:

I have a backend auth working just fine. But I want to add some text to the password prompt when it comes up. I believe in an .htaccess file it would be called a AuthName.

Right now the prompt just says Authentication required and on the next line it show the url that was accessed.

I am hoping that I can just add something like" welcome to our site"

Any help is appreciated.

Posts: 1

Participants: 1

Read full topic

@pavel wrote:

Hi,

I’m using the stats page.
On the row with Backend there is a value 200 for Sessions Limit. What does it exactly mean and how to set it?
Frontend has 2000 for Sessions Limits, which is a default according documentation. So does it mean that frontend can accept 2000 sessions, but backend only 200?
I’m little bit confused because older version of haproxy shows 0 (unlimited?) there.

With Best Regards,
Pavel

Posts: 1

Participants: 1

Read full topic

@chazz wrote:

My test setup.
internet
HAProxy01 - HaProxy02
web01-web02-web03-web04

This is up and running now with just HAProxy01, and I want to add HAProxy02, both running Ubuntu 16, with a floating IP…i think. Problem is I want the floating IP to be a public IP that lands on HAProxy then load balances to 4 local web servers running Server 2012 and IIS.

What I think I want to do is put 2 nics in each HAProxy server, one internal and one external then have the floating IP on the external nics. Is this possible?

Or do I put HAProxy behind my firewall and NAT to the floating IP on the HAProxy servers in a DMZ?

I guess what I am asking is, what is the ideal setup for what I am looking to do.

Posts: 1

Participants: 1

Read full topic

@jared.dembrun wrote:

I am working on an HAProxy server configuration for a proof of concept. We want to forward any incoming connections which either

1. Have a successful 2-way TLS handshake or
2. Are coming from an IP address in a whitelist

I was looking at the documentation on ACLs, and thought maybe I could configure one to check for certs and one to check the whitelist, but I’m not sure if I’m barking up the right tree here. Currently, I have a server accepting valid certs by binding a port with an SSL certificate like so: bind *:2000 ssl crt cert.pem ca-file myCA.pem verify required

Another idea i’ve had is redirecting to a second port in case of failure on the first one. So, for instance, if the handshake fails, we redirect to another port checking a whitelist, or vice versa.

Which of these seems like a better approach? Are either of them impossible to implement in HAProxy? Thank you for any assistance.

Posts: 2

Participants: 2

Read full topic

@matthealey wrote:

I’m new to HAProxy and am trying find some assistance with a configuration problem. I need to create a configuration that will allow me to dynamically proxy a Tomcat application Context path to a subdomain. The subdomain/path can not be hard coded and should be set up as a variable. I’ve had a look at the other suggestions throughout the site but none of them cover this particular issue. So far, I’ve put together this configuration from various existing examples.

This is what I need.

User request -> http://site1.domain.com/path
Redirect to https
HAProxy then makes a request to its backend pool using the URL http://<ip>:8080/site1/path
When the tomcat application returns links to assets they will have a path that will need to be redirected as well.

Site returns https://site1.example.com/site1/image.jpg
If exists, remove the first site1 from the path. https://site1.example.com/image.jpg
I’ve gotten this far using examples and other guides from this site, but i’m at the limits of knowledge in this area. I’m not sure how to remove the site1 in the path. Any suggestions would be welcome.

# Frontend Definition
frontend tomcat_contexts
    bind *:80
    bind *:443 ssl crt /etc/haproxy/cert.pem
    acl http ssl_fc,not
    http-request redirect scheme https if http
    reqadd X-Forwarded-Proto:\ https
    default_backend cluster

# Backend Definition
backend cluster
    balance roundrobin
    cookie JSESSIONID prefix nocache

    # Perform Subdomain url rewrite
    http-request set-var(req.subdomain) req.hdr(host),lower,regsub(\.example\.com$,) if { hdr_end(host) -i .domain.com }
    http-request set-path /%[var(req.subdomain)]%[path] if { var(req.subdomain) -m found }
    http-request set-header Host example.com if { var(req.subdomain) -m found }

    # Cluster machines
    server app01 192.168.69.181:8080 check cookie app01
    server app02 192.168.69.182:8080 check cookie app02

Posts: 1

Participants: 1

Read full topic

@dalu wrote:

Hey there guys,

I’m trying to find a way to send multiple log messages (I’m thinking 2 right now) for the same Request to the same Syslog-Server. The reason I want to do this is because I need to print out the http body and all the other metainformation (ClientIP and all that default http-log-format stuff) in the log. This way, though, the log is way too overloaded.

The way I want my log files to look like is given:
2017-10-06 13:27:06 Local0.Info PID metainformation
2017-10-06 13:27:06 Local0.Info SAMEPID http-body-comes-here

The way it looks right for me right now:
2017-10-06 13:27:06 Local0.Info PID metainformation, http-body-comes-here

The logs already have all the information I need, so this is just an idea from a cosmetic point of view.

Cheers,
DL

Posts: 1

Participants: 1

Read full topic

@Gurvan wrote:

Hi,

For flexibility reasons I would like to switch from base_sub to base_reg in a line like this :
current : acl blacklist_a base_sub -i -f /some/dir/blacklisted_urls
idea : acl blacklist_a base_reg -i -f /some/dir/blacklisted_urls

Lines can be read from the file even with base_reg, but they are only interpreted as strings (., +, ?, *, + not interpreted at all), so in effect it is exactly like base_sub.

I have tried to find some examples but could not find a single “base_reg (-i)? -f”.

Is it possible to load one or several regex patterns from a file?

Cheers,
Gurvan

Posts: 2

Participants: 2

Read full topic

@Exocomp wrote:

Goal: Limit connections opened per IP (real client IP) when using proxy protocol

I want to limit the number of opened connections per IP when using the proxy protocol.

According to some sources it is done like so:

stick-table type ip size 100k expire 30s store conn_cur
tcp-request connection track-sc0 src
tcp-request connection reject if { src_conn_cur gt 10 }

Problem here is using “tcp-request connection” doesn’t store the “real client IP” (remember I’m using proxy protocol).

Per the documentation:

“The PROXY protocol dictates the layer
3/4 addresses of the incoming connection to be used everywhere an address is
used, with the only exception of “tcp-request connection” rules which will
only see the real connection address.”

If is use “tcp-request content” instead that works but according to the documentation “tcp connection” is more efficient.

My question is that if there are any work around to use the real client ip when using the more efficient “tcp-request connection” ?

Posts: 1

Participants: 1

Read full topic

@mpaul wrote:

I am new to haproxy.
I am deploying haproxy to route client connections for a specific port to my backend server running on a different port.
The backend server sees all clients have been originated on the same host.

Is there any configuration most likely in “default” or “front end” to pass the client hostname to the backend server.

Any help is appreciated.

Thanks
MPaul

Posts: 2

Participants: 2

Read full topic

@jaysin144 wrote:

I have a horribly written application and am trying to work around that limitation.

I’m having a hard time figuring out how to do this. I’ve actually done it before so know it’s possible but that was some time ago. I have HAProxy installed and it’s doing transparent balancing to three backend servers. The problem is that it’s doing it transparently and I actually need it to just redirect. Doesn’t even need to proxy the connections necessarily.

Example:

Request is for http://1.1.1.1/this/url.asp (this is HAPRoxy host)

Redirect should be to one of my backend servers 2.2.2.2/this/url.asp or 3.3.3.3/this/url.asp

The way it’s working now is that it’s proxying to 2.2.2.2 but leaving the URL as 1.1.1.1. I need the URL to be 2.2.2.2.

There’s a lot of good information about how to change the URI, but I can’t figure out how to have HAProxy substitute the frontend url for the back end IP.

Posts: 1

Participants: 1

Read full topic

@sadlil wrote:

We have a HAproxy setup where its configurations generated automatically running inside kubernetes. It uses sticky session with targeted server private ip md5/sha hased. In case of our server restart, the private ip may change. And hence the configuration changes. But the client still holding the wrong hash value (previous ip). What is the proper way of Handle this. How can we reset/force client to use new sticky formulas.

Posts: 3

Participants: 3

Read full topic

@Sandeep.rai2k17 wrote:

I tried to get debug log but time stamp doesnot seem to sync with different log mechanism (syslog). Is there a method to get log with human readable time [hh:mm:ss] and date???]

Posts: 1

Participants: 1

Read full topic