@stucky101 wrote:

HAproxy gurus

I have a stick table based on JSESSIONID and it works well with apps that actually use a cookie by that name.
However, oracle webcenter uses 2 differently named cookies

WCC-ADF-JSESSIONID
_WL_AUTHCOOKIE_WCC-ADF-JSESSIONID

The following matches both and thus sticks both into the stick table

stick store-response res.cook(WCC-ADF-JSESSIONID)
stick match req.cook(WCC-ADF-JSESSIONID)

1. It should not store the second one imho as the match is documented as “exact string”
2. The following should work afaict
   stick store-response res.cook_reg(^WCC-ADF-JSESSIONID$)
   stick match req.cook_reg(^WCC-ADF-JSESSIONID$)

but causes haproxy to barf

[ALERT] 248/160853 (26241) : parsing [/usr/local/etc/haproxy.cfg:131] : ‘stick’: unknown fetch method ‘res.cook_reg’
[ALERT] 248/160853 (26241) : parsing [/usr/local/etc/haproxy.cfg:132] : ‘stick’: unknown fetch method ‘req.cook_reg’
[ALERT] 248/160853 (26241) : Error(s) found in configuration file : /usr/local/etc/haproxy.cfg
[ALERT] 248/160853 (26241) : Fatal errors found in configuration.

I thought I might not have compiled pcre so I did that again to be sure:

make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1
[root@devpxyc01n01 ~]# rpm -q pcre-devel
pcre-devel-8.32-17.el7.x86_64
[root@devpxyc01n01 ~]# ldd /usr/local/sbin/haproxy | grep pcre
libpcreposix.so.0 => /lib64/libpcreposix.so.0 (0x00007f082e3a4000)
libpcre.so.1 => /lib64/libpcre.so.1 (0x00007f082e142000)

I need to explicitly match WCC-ADF-JSESSIONID only.

Any help would be appreciated.

Thx

Posts: 2

Participants: 1

Read full topic

@mahesh.mahajan wrote:

I have compiled HA Proxy version 1.8.13 on RHEL 7.5. The defaults and frontend are configured in TCP mode.

The application instances which we have in the backend are serving TCP connections. For security reasons we have enabled access control basis of IP address and user name. To use this feature I would require HA Proxy to send IP address of client machine to the applications. Currently all requests are coming via HAPRoxy IP address.

Can some one please guide me in how to setup X-Forwarded-For in TCP mode. Below are the snippet of haproxy.cfg

defaults
mode tcp
log global
option tcplog
option dontlognull
option forwardfor
option redispatch
retries 3
timeout queue 5m
timeout connect 1000s
timeout client 5m
timeout server 5m
timeout check 1000s
maxconn 3000000

frontend localnodes
bind *:30000
mode tcp
default_backend nodes
timeout client 1m

backend nodes
balance leastconn
server ins01 127.0.0.1:5000
server ins02 127.0.0.1:6000
server ins03 127.0.0.1:7000
server ins04 127.0.0.1:8000
timeout connect 10s
timeout server 1m

Posts: 1

Participants: 1

Read full topic

@saier wrote:

We want to achieve several 1000 concurrent connections to a webservice, running on Apache Tomcat.
The requests are very short, but there are really many of them.
We are still failing, because connections to backend are always (at least very often) closed and must be reopened.
Therefor connections on the backend servers are opened and closed too often and they run out of ports and cannot handle the amount of requests.
We hoped, the haproxy option “http-reuse always” would solve the problem. But it does not, because a connection to a backend server will be closed,
when the client disconnects, who initially opened the connection.
We already tuned the OS according to https://medium.com/@pawilon/tuning-your-linux-kernel-and-haproxy-instance-for-high-loads-1a2105ea553e
we run haproxy 1.8.13 and apache tomcat 7.0.90, both on linux (ubuntu 16.04)

What else can we do?

here is our (simpilifed) haproxy.cfg:

global
    log /dev/log local0 notice

    tune.ssl.cachesize          1000000
    tune.ssl.default-dh-param   2048
    ssl-default-bind-options    no-sslv3 no-tls-tickets # force-tlsv12
    ssl-default-bind-ciphers    ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

    maxconn 1000000

    daemon

# Enable the statistics page
listen haproxy-stats-process-1
    bind *:9001
    stats enable
    mode http
    stats realm Haproxy\ Statistics
    stats uri /
    timeout client 60m
    timeout connect 60m
    timeout server 60m

defaults
    mode http

    option httplog
    option dontlognull
    option logasap
    option log-separate-errors
    option log-health-checks
    option dontlog-normal

    option prefer-last-server
    option http-keep-alive
    timeout http-keep-alive 120000
    no option httpclose
    no option http-server-close
    no option forceclose

    http-reuse always
    timeout check 15000
    default-server inter 1s fall 2 rise 2

    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

frontend default_http
    log    global
    mode   http

    bind ipv4@*:80

    default_backend  pool_default_http

    maxconn 500000 # per process!!
    timeout client 30m
    timeout connect 60m
    timeout server 60m

backend pool_default_http
    log     global
    mode    http
    balance static-rr
    hash-type consistent

    option httpchk GET / HTTP/1.1\r\nHost:\ www
    http-check expect status 200
    default-server inter 1s fall 2 rise 2
    http-reuse always
    timeout check 15000

    server test_1 10.205.1.161:8080  maxconn 20 weight 1 check
    server test_2 10.205.1.162:8080  maxconn 20 weight 1 check
    server test_3 10.205.1.163:8080  maxconn 20 weight 1 check
    server test_4 10.205.1.164:8080  maxconn 20 weight 1 check

    timeout client 30m
    timeout connect 1m
    timeout server 60m

Posts: 1

Participants: 1

Read full topic

@lewe wrote:

Hi,

despite many examples and reading the haproxy docs, I still don’t manage to do the following:

note that we use haproxy 1.5.14

we use haproxy to distribute HTTP requests (roundrobin) over a number of backends.
I would like to limit the number of HTTP requests on the frontend, regardless from which IP address they are coming.

Initially I used something like:

#frontend:
stick-table type ip size 500k expire 2s store http_req_rate(1s)
tcp-request connection track-sc1 src

#backend
timeout tarpit 1000
acl abuse_xxx src_http_req_rate(frontend_name) ge 5
http-request tarpit if abuse_xxx

This worked when sending requests from 1 ip address, in this case allowing 5 requests per second.

As far as I understand, the stick-table type ip counts entries per IP address. We don’t want this, throttling has to be done on the total number of HTTP requests, independent from the client ip.

To throttle on the total, I expect I need to use the url path in some way, as these are the same for each client, only the client ip address differs.

So far I did not manage to do so, when using stick tables with type string, I did not find a way to store entries in this table in the frontend, when adding entries to the backend, socat shows 1 entry per request instead of a total.

so: I need some guidance here

Leon

Posts: 1

Participants: 1

Read full topic

@renato.souza wrote:

Hi Dudes!

I´m starting with the HAProxy and I found my first problem. I have a site wich in a direct access everything goes well, but when I try to access through HAProxy, some images isn´t showed.

The site use HTTP redirects,as we can see in logs with the 302 HTTPS response code. Is this the reason?

Sep 10 10:59:10 localhost haproxy[641]: xxx.xxx.xxx.xxx:6999 [10/Sep/2018:10:59:10.000] https-in~ sisjur_servers/sisjur01 0/0/3/15/18 302 510 - - ---- 2/2/1/1/0 0/0 “GET /SISDPVATJUR/App_Themes/img/Msg_erro.jpg HTTP/1.1”
Sep 10 10:59:10 localhost haproxy[641]: xxx.xxx.xxx.xxx:7000 [10/Sep/2018:10:59:10.017] https-in~ sisjur_servers/sisjur01 0/0/2/13/15 302 510 - - ---- 2/2/0/0/0 0/0 “GET /SISDPVATJUR/App_Themes/img/pbar-ani.gif HTTP/1.1”

What can I do to solve this problem?

Thanks in advance!
Renato Souza

Posts: 1

Participants: 1

Read full topic

@faryspeed wrote:

Hi
I have a windows server 2016 runing IIS V10
i use this server as a download server
i just want to hide the real ip address of this server usinig haproxy 1.7.8
here is my haproxy.cfg file

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000

frontend http_front
bind *:80
mode http
stats uri /haproxy?stats
default_backend http_back

backend http_back
balance first
mode http
server ServerDL my-server ip:80 check

i recieve 503 Service Unavailable !!!
also in the haproxy stats link in http_back section it shows the the server is down!

60dbf0f29b4f8c321c3519e98191a3bc09b3368d.png1438x343

please help me im new to haproxy

Posts: 7

Participants: 2

Read full topic

@ianc wrote:

I’m new to HAProxy and am trying to configure the following:

(1)External HTTPS request-> (2)Home Router -> (3)HAProxy running on OpenWRT ->(4)“Server” on ESP8266 device

(1) The external request will ultimately be coming from WebHooks in IFTTT but for now I’m just trying the request from a web browser

(2) The home router does not have a fixed IP so I’m using NoIP.com ddns to give me a fixed public url (ianpublic.ddns.net:8081). I’ve confirmed I can get through the router using NAT to the ESP server (192.168.1.80:81) - without the HAProxy in the loop.

(3) I’ve installed HAProxy v1.7.8 on a OpenWRT router on the internal private network and redirected the public router NWT entry at it. This will need to terminate the SSL but for now I’d be happy just getting some traffic to pass through HAproxy.

(4) The ESP is a small Wifi enabled device which has a minuscule server running on it. It’s not powerful enough to terminate the SSL itself.

As I said - Step one is to just get HAProxy passing through. Here’s my config file:

global
maxconn 4096
daemon
uid 0
gid 0

defaults
mode http
option forwardfor
log 127.0.0.1 local0 notice
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
listen my_http_proxy
#frontend http
bind :8081

cookie SERVERID insert nocache
server st1 192.168.1.80:81

I’m not getting any debug info out on the console when using “-D” so I’m really struggling to understand what’s going on. Any help appreciated

Posts: 4

Participants: 2

Read full topic

@thomas.scheer wrote:

A short description of the setup:

I have two serverfarms which differs in name (server1.domain and server2.domain) but shares the same frontend (with ssl certificate and same port) …
So the traffic is routed to the backends with

frontend incoming
bind *:443 ssl crt /usr/local/etc/haproxy/cert/server.pem
mode http

Use backend “backend_linux” for “linux.” host.

Use backend “backend_windows” for “windows.” host.

acl host_linux   hdr_beg(host) -i linux.
acl host_windows hdr_beg(host) -i windows.

use_backend backend_linux if host_linux
use_backend backend_windows  if host_windows
default_backend backend_linux

Want I now want to have is a different logfile (using rsyslog) for each server-farm… like

log 127.0.0.1 local1 debug if host_linux
log 127.0.0.1 local2 debug if host_windows
(this is NOT possible in the current version)

BUT is there any other solution for that problem except to splitt the incoming traffic to two frontends ?

Posts: 2

Participants: 2

Read full topic

@williams.perdana wrote:

Can I dynamically lists all servers backend using lua scripts ? For Example:

Lua Script:

local function choose_backend()
return “server webserver02 lbwebserver-02.perf.lokal:80 check”
end
core.register_fetches(“choose_backend”, choose_backend)

HA Configuration:

global
    .... 
    lua-load /usr/sbin/lua-choose-backend.lua

defaults
    ....

frontend WEBSERVERS
    bind 172.18.69.116:9000
    use_backend WEBSERVER01

backend WEBSERVER01
    %[lua.choose_backend]

I had tried that thing, but haproxy says invalid ‘%’ thing.
I don’t want to use the ‘use_backend’ like internet says, because If I use that way, I would have to add the backends everytime my servers grow. I want to dynamically list those servers on the lua

Is that possible ?

Posts: 1

Participants: 1

Read full topic

@caspi wrote:

Hello,

I have a question about correct setup of HAPROXY. I have following situation:

INTERNET ----> FW -----> HAPROXY ----> BACKEND SERVER

HAPROXY have to interfaces, Outside 172.16.1.1 and inside 192.168.1.1.

DNS Records are pointing to OUTSIDE interfaces there is an KEEPALIVED address.

Everything works except access to published site from backend server (from backend server i am not able to display it own website, that problem will be on all host in same subnet). request it going over the router
to outside interface and then back to inside. How to solve this situation?

I can point DNS to inside interface but then one interface is used as incomming and outgoing interface.

Can someone help me?

Rob.

Posts: 1

Participants: 1

Read full topic

@Bruno wrote:

Hello,

I’ve seen this article: Neatly bypassing CSP. And it appears that the error pages served by haproxy can be used to bypass some Content-Security-Policy rules.

It looks like it should be possible to customize the error from haproxy with the errorfile command, but it’s tedious to do that for each HTTP status code. Is it possible to add an HTTP header for all the error pages served by haproxy without having to edit the error for each status code?

And maybe the haproxy developpers should consider having X-Frame-Options: DENY by default for the error pages. I’m not sure, but it looks like a good default.

Posts: 1

Participants: 1

Read full topic

@Magnetion wrote:

HAProxy noob here! Setup has been straight forward so far, but I have one issue I can not seem to solve. I am using SSL Termination with HAProxy and have that working. But, the Apache backends are creating non HTTPS links when serving pages, causing browsers to note something is up. I have thrown the sink at it so far, with no luck. Version is: HA-Proxy version 1.8.13-1ppa1~bionic 2018/08/01

Current config file:

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
ssl-server-verify none
tune.ssl.default-dh-param 2048

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend www-http
bind *:80
bind *:443 ssl crt /etc/ssl/haproxy/XXXXXXX.pem

    option http-server-close
    http-request add-header X-Forwarded-Proto https
    http-request set-header X-SSL %[ssl_fc]
    http-response add-header Strict-Transport-Security max-age=31536000

    # Test URI to see if its a letsencrypt request
    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if letsencrypt-acl

    mode http
    default_backend apache

backend letsencrypt-backend
server letsencrypt 127.0.0.1:8888

backend apache
redirect scheme https if !{ ssl_fc }
mode http
balance roundrobin
option forwardfor
option httpclose
http-request add-header X-Forwarded-Proto https
http-request set-header X-SSL %[ssl_fc]
http-response add-header Strict-Transport-Security max-age=31536000

    server web1 cluster2-web-01:80
    server web2 cluster2-web-02:80

listen stats
bind :32700
stats enable
stats uri /
stats hide-version
stats auth XXX:XXX

Posts: 1

Participants: 1

Read full topic

@kingkonghost wrote:

hi
i have a whm server that i need to fully hide the ip address of this server.
i setup haproxy 1.7.8 on vps
then i add this configuration :
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats timeout 30s
user haproxy
group haproxy
daemon

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000

frontend http_front
bind *:80
mode http
stats uri /haproxy?stats
default_backend http_back

backend http_back
balance first
mode http
server whm ***.***.***.***:80 check

i found this configuration in some tutorial but i need the missing part of this config
i check my whm server with port scan and now i know what ports should be in this config
here is the result :

haproxywhm.PNG279x600 6.87 KB

please help me to complete the config file of haproxy

Posts: 1

Participants: 1

Read full topic

@stickjam wrote:

Hello,

I was wondering if it was possible with HAProxy to allow only one connection per backend server followed by a type of ‘cooldown’ which temporarily disables that particular backend server for a period of time. Another way to describe would be only allowing one connection per X time (not per one second which maxconnrate seems to do).

If anyone could shed some light on this, that would be great!

Thanks!

Posts: 2

Participants: 2

Read full topic

@rayj00 wrote:

So, I use HAproxy to redirect rtmp. (or forward…not sure which one describes what I am doing?)

Currently I send rtmp as such: rtmp://“serverIP”:1935/stream HAproxy handles this properly.

However, now I want to send rtmp://“serverIP”:1935/stream/“stream key”. The stream key can be a name or number. My Media Server does not actually use the stream key. However, I want to use it as an identifier of who is sending the rtmp. So in HAproxy, I want to take the “stream key” and shove it in a variable that the bash shell can read. Then I use this variable to construct a file name when I create an mp4 out of a live stream. I hope what I am wanting to do this makes sense?

Can this be done? Can HAproxy take the incoming rtmp and grab what comes after /stream/ and save it in a variable that a shell script can read?

Posts: 4

Participants: 2

Read full topic

@orion777 wrote:

Due to network configuration I need to re-create the TCP connection with specific port, say, 5555, like:
source NIC 192.168.10.70 -> NAT server with proxy 192.168.10.1 - haproxy - 213.100.60.20 -> WAN destination server 213.100.70.30

So, haproxy must listen port 5555 on eth0 192.168.10.1 and automatically redirect this TCP flow to 213.100.70.30:5555 over eth1 213.100.60.20.
The remaining traffic should be routed via typical NAT (shorewall) to be able to access the internet (this is optional, but desirable).

To do this I was trying to make such haproxy.cfg
cat /etc/haproxy/haproxy.cfg
global

daemon

maxconn 10

defaults
mode tcp
timeout connect 5000ms
timeout client 10000ms
timeout server 10000ms

frontend tcp-in
bind 192.168.10.0:14550
default_backend servers

backend servers
server server1 213.100.70.30:5555 maxconn 32

The haproxy has been started with such options:

haproxy -f /etc/haproxy/haproxy.cfg -V

The TCP connection nas been made from the source NIC 192.168.10.70 to 192.168.10.1:5555 , but the connection was not espablished wit the destination 213.100.70.30

Since I’m new, I’m asking for help. Thank you.

Posts: 2

Participants: 2

Read full topic

@Grooth wrote:

i still try common HAproxy configuration on my computer, after i have stupid problem because my fault before now i have another problem. and here is my servers configuration. this is OFFLINE and using LOCALHOST.

server1 using IP: 10.10.10.2/29
server2 using IP: 10.10.10.3/29
server3 using IP: 10.10.10.4/29
all server using host name: jarkom

my load balancing using IP: 172.23.23.5/29

my firewall and connection i think on good condition because all of them can pinging each other.

and here my HAproxy script:

root@ubuntu:/home/jarkom# cat /etc/haproxy/haproxy.cfg
global
log 127.0.0.1 local0 notice
maxconn 2000
user jarkom
group jarkom
daemon

defaults
mode http

frontend http-in
bind 172.23.23.5:80
default_backend webservers
timeout connect 100
timeout client 100
timeout server 100

backend webservers
server web01 10.10.10.2:80
server web02 10.10.10.3:80
server web03 10.10.10.4:80
balance roundrobin
timeout connect 100
timeout client 100
timeout server 100

and then when this error show to me…

● haproxy.service - HAProxy Load Balancer
Loaded: loaded (/lib/systemd/system/haproxy.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2018-09-15 21:39:07 WIB; 2min 51s ago
Docs: man:haproxy(1)
file:/usr/share/doc/haproxy/configuration.txt.gz
Process: 3928 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q $EXTRAOPTS (code=exited, status=0/SUCCESS)
Main PID: 3929 (haproxy)
Tasks: 2 (limit: 2307)
CGroup: /system.slice/haproxy.service
├─3929 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
└─3930 /usr/sbin/haproxy -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid

Sep 15 21:39:07 ubuntu systemd[1]: Starting HAProxy Load Balancer…

Sep 15 21:39:07 ubuntu haproxy[3929]: [WARNING] 257/213907 (3929) : parsing [/etc/haproxy/haproxy.cfg:14] : ‘timeout connect’ will be ignored because frontend 'http-in’
Sep 15 21:39:07 ubuntu haproxy[3929]: [WARNING] 257/213907 (3929) : parsing [/etc/haproxy/haproxy.cfg:16] : ‘timeout server’ will be ignored because frontend 'http-in’
Sep 15 21:39:07 ubuntu haproxy[3929]: [WARNING] 257/213907 (3929) : parsing [/etc/haproxy/haproxy.cfg:24] : ‘timeout client’ will be ignored because backend 'webservers
Sep 15 21:39:07 ubuntu systemd[1]: Started HAProxy Load Balancer.

when i try on browser, i check with load balancing IP but that is error “503” thats said cant reach server.

can someone explain me what wrong with my work?.. i will be appreciate if u tell me where is the wrong… thanks a lot for your attention and i hope god will be with u forever…

Posts: 1

Participants: 1

Read full topic

@Sahand wrote:

I have made some tests with Apache benchmark and the results were pretty clear that HaProxy was faster in requesting the requests, but on the other hand Nginx was using much less CPU than HaProxy can any one tell me whats the reason for this 2 results???

Thank you

Posts: 1

Participants: 1

Read full topic

@mysticalunicorn wrote:

I was using .htaccess to redirect users to cloud.

Here is my config in apache mod.i put in some dummy urls. it needs to redirect on port 443.
I need to switch over to Ha Proxy, I am using the latest stable haproxy. 1.8

Options +FollowSymLinks
RewriteEngine on
RewriteRule ^token. https://123.testing.io:443/oauth/token [R=301,L] RewriteRule ^test2.* https://345.testing.io:443/svc/device/dev?limit=100 [R=301,L]
RewriteRule ^test3.$ https:/456.testing.io:443/svc/v1/com/devices [R=307,L]

so basically when someone goes to the server with /token it forwards them to the cloud url on port 443. The requests are also being sent on port 443.
cant figure out how to get these to work in haproxy. backend needs IP not url.
These urls are in aws cloud, I cannot use IP address only url.
can someone assist please.
thank you.

Posts: 1

Participants: 1

Read full topic

@dsgnr wrote:

Hey,

I am attempting to integrate Fail2Ban with HAProxy like I do with my existing Nginx proxy.

Here’s a Pastebin to my HAProxy configuration: https://pastebin.com/GWBhJunf

Currently, my logs are outputting like:

    Sep 18 06:40:24 localhost haproxy[19962]: 10.50.3.8:54171 [18/Sep/2018:06:40:22.712] SSLFrontend~ Unifi/unifi.domain.cloud 0/48/1502 297 -- 1/1/0/0/0 0/0

However, I’d like to get the logging to look like my Nginx logs:

<IP REDACTED> - - [17/Sep/2018:06:26:02 +0000] "GET /api/self/sites HTTP/2.0" 200 486 "https://unifi.domain.cloud/manage/site/default/dashboard" "Mozilla/5.
0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36"

 <IP REDACTED> - - [18/Sep/2018:06:47:02 +0000] "POST /api/login HTTP/2.0" 400 158 "https://unifi.domain.cloud/manage/account/login?redirect=%2Fmanage" "M
ozilla/5.0 (iPhone; CPU iPhone OS 12_0 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) CriOS/68.0.3440.83 Mobile/16A366 Safari/604.1"

200 obviously means everything is OK, but the 400 code represents a failed login attempt, where I can then integrate Fail2Ban jails.

I’ve looked at the docs: https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#8 and tried option httplog as well as TCP logs.

Is anyone able to advise? Maybe I’m missing something simple.

Posts: 1

Participants: 1

Read full topic