@zeusz4u wrote:

I’ve enabled using the backend server with the “check” option to see when it’s down/up in the stats page. However, whenever the backend server is taken down for a restart or maintenance, the output is genereated on the main SSH console instead of redirecting it to the haproxy logfile:

Message from syslogd@localhost at Oct 31 06:16:13 ...
   haproxy[18509]: backend backend-server has no server available!

I’m using this option in the global configuration section:

log         127.0.0.1 local2 debug

In the rsyslog.conf I’ve made the following modifications to redirect haproxy logging to /var/log/haproxy.log - enabled UDP module to receive activity from Haproxy, and redirected local2 to the desired logfile. All other activity, like handshake errors, tcplog goes there, but this notification somehow ended up in the main SSH console

# Provides UDP syslog reception
$ModLoad imudp
$UDPServerRun 514
$AllowedSender UDP, 127.0.0.1

# Save HAProxy messages to haproxy.log
local2.*                                                /var/log/haproxy.log

Any help is appreciated.

Posts: 1

Participants: 1

Read full topic

@Hjelmar wrote:

Hi

I am trying to accomplice the following in an NSX Load balancer (The NSX documentation refers to HAproxy so I’m asking here :

I have a website - www.website.com/cloud in the /cloud there is an admin interface which I want to restrict access to with a whitelist.

Sites AFTER /Cloud/ shouln’t be blocked - so all other sites on “website.com/cloud/*” should be accessible to all

If I use this rule below, it works - but blocks everything that contains cloud:

acl is_cloud path_beg -i /cloud/

acl whitelist src [IP ADRESSES]

block if is_cloud !whitelist

Is i possible to block access only /cloud/" and not all other sites?

/Kenneth

Posts: 1

Participants: 1

Read full topic

@afagund wrote:

Hello,

Is there any WAF solution that works with HAProxy Community?

Thanks!
Andre Fagundes

Posts: 2

Participants: 2

Read full topic

@gzouxu wrote:

• Haproxy version
  haproxy -v
  HA-Proxy version 1.5.18 2016/05/10
  Copyright 2000-2016 Willy Tarreau willy@haproxy.org

• I want to refresh the haproxy configuration without any interrupt,so when I edited haproxy.cfg file ,and do the service haproxy reload action. but some old processes will not terminated after a few days

cps 891 1 0 Oct30 ? 00:13:39 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 892 1 0 Oct30 ? 00:13:42 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 893 1 0 Oct30 ? 00:13:44 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 894 1 0 Oct30 ? 00:13:45 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 1059 1 0 Oct31 ? 00:09:07 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 1061 1 0 Oct31 ? 00:09:06 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 1062 1 0 Oct31 ? 00:09:09 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 1063 1 0 Oct31 ? 00:09:08 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 6385 1 0 Oct25 ? 00:44:45 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 6387 1 0 Oct25 ? 00:46:08 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 6388 1 0 Oct25 ? 00:46:15 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 6390 1 0 Oct25 ? 00:47:05 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 15206 1 0 Oct26 ? 00:41:27 /usr/sbin/haproxy -p /var/run/haproxy.pid -D -f /etc/haproxy/haproxy.cfg -sf 21877 21878 21879 21880
cps 15208 1 0 Oct26 ? 00:41:53 /usr/sbin/haproxy -p /var/run/haproxy.pid -D -f /etc/haproxy/haproxy.cfg -sf 21877 21878 21879 21880
cps 15209 1 0 Oct26 ? 00:41:48 /usr/sbin/haproxy -p /var/run/haproxy.pid -D -f /etc/haproxy/haproxy.cfg -sf 21877 21878 21879 21880
cps 15210 1 0 Oct26 ? 00:41:31 /usr/sbin/haproxy -p /var/run/haproxy.pid -D -f /etc/haproxy/haproxy.cfg -sf 21877 21878 21879 21880
cps 16608 1 0 Oct30 ? 00:13:28 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 16610 1 0 Oct30 ? 00:13:31 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 16613 1 0 Oct30 ? 00:13:32 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 16616 1 0 Oct30 ? 00:13:29 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 25144 1 0 Oct30 ? 00:13:41 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 25145 1 0 Oct30 ? 00:13:42 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 25146 1 0 Oct30 ? 00:13:43 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 25147 1 0 Oct30 ? 00:13:45 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 26476 1 0 Oct30 ? 00:13:39 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 26478 1 0 Oct30 ? 00:13:36 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 26479 1 0 Oct30 ? 00:13:38 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid
cps 26480 1 0 Oct30 ? 00:13:40 /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /etc/haproxy/haproxy.pid

• Is there anybody have any ideas to resolve this issues?

Posts: 2

Participants: 2

Read full topic

@kelner wrote:

Good day!
Unfortunately I could not find the method which allows to record in the log both frontend connection and frontend disconnection events. In case, when TCP session is short it is not a problem, but when the TCP session is long IMHO start record and stop record are needed.

Playing with logs.logwait in /src/diff stream.c I reached desirable effect, but I am not specialist and don’t like hacks IMHO it would be better if we have in config something like two independent options: options logstart and option logstop instead of option logasap

Thank you in advance.

Posts: 1

Participants: 1

Read full topic

@Santhosh.Patil wrote:

We have policy url uses the custom url of the appliace and cannot be changed as it uses the appliance fqdn name for the https requests. all client applications and HAproxy load balancer are on same Vlan. We have configured the frountend of the haproxy load balancer IP and backend we have configured the appliance IP and fqdn names with port number.
If we add the Host entry of the actual backend appliance on the client nodes it can reach however since they are in the same VLAN, if we remove and add Virtual IP attached to haproxy load balancer
we shall not be able to reach we get error "unable to resolve host name.
We have the DNS entries for backend servers and also the virtual IP.
Please help

Thanks

Posts: 1

Participants: 1

Read full topic

@rhada wrote:

Hello,

I have an issue i can’t achieve to fix.

My proxy take request with a custom header to authenticate users. For reasons, some requests are rejected by the proxy with a 400 error. a show errors on the socket let me think that custom header is causing the error (i have replace sensitive data) :

 # echo "show errors" | socat /var/lib/haproxy/stats stdio
Total events captured on [02/Nov/2018:11:59:39.817] : 35
 
[02/Nov/2018:11:57:54.645] frontend http (#4): invalid request
  backend <NONE> (#-1), server <NONE> (#-1), event #34
  src xx.xx.xx.xx:xxxx, session #8587, session flags 0x00000080
  HTTP msg state MSG_RQMETH(2), msg flags 0x00000000, tx flags 0x84000000
  HTTP chunk len 0 bytes, HTTP body len 0 bytes
  buffer flags 0x00808002, out 0 bytes, total 25 bytes
  pending 25 bytes, wrapping at 16384, error at position 8:
 
  00000  MSP-CLID: xxxxxxxxxxxxxx\r\n
  00023  \r\n

One thing i can’t explain, custom header is X-MSP-CLID, but the error show MSP-CLID. Is there a good reason ?
A network capture show full header as intended.

Most of the requests are well forwarded, only some are rejected

If i set option accept-invalid-http-request the problem persists

Can someone help me to sort out this issue ?

Posts: 2

Participants: 2

Read full topic

@the_Uli wrote:

Dear HAProxy community,

I get an strange problem with my TCP Proxy config.
My healthceck works and the backend servers is online at the HAProxy stats page.

But I get this error at my webbrowser “SSL_ERROR_RX_RECORD_TOO_LONG”
If I remove “ssl verify none” and the “httpchk” the TCP Proxy works fine and the website goes online.

My Problem now, I need to check the backend with the http status and need the TCP Proxy (proprietary backend…)

frontend ft_webapp_tcp
bind *:443 name https
default_backend bk_webapp_tcp

backend bk_webapp_tcp
mode tcp
balance roundrobin
option httpchk GET /webapp/check.html
http-check expect status 200

server web1 192.168.10.104:443 maxconn 10000 check ssl verify none
server web2 192.168.10.105:443 maxconn 10000 check ssl verify none

Wirehsark Response
(ClientIP) -> (HAProxy IP) -> TLSv1 -> Client Hello
(HAProxy IP) -> (ClientIP) -> HTTP -> HTTP/1.1 400 Bad Request (text/html)

does one have an idea?

HA-Proxy version 1.8.8-1ubuntu0.2 2018/10/02
Copyright 2000-2018 Willy Tarreau <willy@haproxy.org>

    Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -g -O2 -fdebug-prefix-map=/build/haproxy-1p70ey/haproxy-1.8.8=. -fstack-protector-strong     -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2
  OPTIONS = USE_GETADDRINFO=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_LUA=1     USE_SYSTEMD=1 USE_PCRE=1 USE_PCRE_JIT=1 USE_NS=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
  
Built with OpenSSL version : OpenSSL 1.1.0g  2 Nov 2017
Running on OpenSSL version : OpenSSL 1.1.0g  2 Nov 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.3
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND
Encrypted password support via crypt(3): yes
Built with multi-threading support.
Built with PCRE version : 8.39 2016-06-14
Running on PCRE version : 8.39 2016-06-14
PCRE library supports JIT : yes
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with network namespace support.

    Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available filters :
        [SPOE] spoe
        [COMP] compression
        [TRACE] trace

best regards,
the_Uli

Posts: 4

Participants: 2

Read full topic

@jbrahy wrote:

What’s the best way to integrate a table of IP blocks (ip_from, ip_to, ip_status) into haproxy? I want to return 403 when status = 0. ip_from and ip_to are numerical values using the mysql method INET_ATON(‘ip address’). I do my lookups by selecting where INET_ATON(‘ip address’) > ip_from limit 1.

Posts: 1

Participants: 1

Read full topic

@Tinnick wrote:

I get the error “cannot bind socket [:::#port]” when trying to open a new port.
I can confirm that no other service is using that port but that does not seem to be the case.

I’ve encountered the same problem a few weeks ago but managed to find a bind-able port.

This time none of my guesses are doing any good.

This is how my configuration file looks:

#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------

frontend  service1-in
        bind :::80 v4v6
        default_backend service1

frontend service2-in
        bind :::8080 v4v6
        default_backend service2

frontend service3-in
        bind :::9000 v4v6
        default_backend service3

frontend NAS-in
        bind :::8282 v4v6
        default_backend NAS

backend service2
        server service2 192.168.5.55:8080 check

backend portal
        server service1 192.168.5.58:80 check
#       server service1 192.168.5.57:80 check

backend service3
        server service3 192.168.5.65:80 check

backend NAS
        server NAS 192.168.5.254:80 check

#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------
#backend static
#    balance     roundrobin
#    server      static 127.0.0.1:4331 check

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
#backend app
#   balance     roundrobin
#   server  app1 127.0.0.1:5001 check
#   server  app2 127.0.0.1:5002 check
#   server  app3 127.0.0.1:5003 check
#   server  app4 127.0.0.1:5004 check

Error message:

[root@haproxy jp]# systemctl status haproxy
● haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/usr/lib/systemd/system/haproxy.service; enabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since 月 2018-11-05 02:45:01 EST; 2s ago
  Process: 115915 ExecStart=/usr/sbin/haproxy-systemd-wrapper -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid $OPTIONS (code=exited, status=1/FAILURE)
 Main PID: 115915 (code=exited, status=1/FAILURE)

11月 05 02:45:01 haproxy systemd[1]: Started HAProxy Load Balancer.
11月 05 02:45:01 haproxy systemd[1]: Starting HAProxy Load Balancer...
11月 05 02:45:01 haproxy haproxy-systemd-wrapper[115915]: haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /ru...pid -Ds
11月 05 02:45:01 haproxy haproxy-systemd-wrapper[115915]: [ALERT] 308/024501 (115916) : Starting frontend NAS-in: cannot bind socket [:::8282]
11月 05 02:45:01 haproxy haproxy-systemd-wrapper[115915]: haproxy-systemd-wrapper: exit, haproxy RC=1
11月 05 02:45:01 haproxy systemd[1]: haproxy.service: main process exited, code=exited, status=1/FAILURE
11月 05 02:45:01 haproxy systemd[1]: Unit haproxy.service entered failed state.
11月 05 02:45:01 haproxy systemd[1]: haproxy.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

Thanks in advance.

Julian

Posts: 2

Participants: 2

Read full topic

@Gris13 wrote:

Upon switching to 1.8.14 from 1.6 we’ve been made aware that one of our backends have been redirecting to our maintenance page and they correlate to config reloads.

This is the portion of our haproxy config that we are falling into, we believe.

backend sslservice
acl NOT_ENOUGH_CAPACITY nbsrv(sslservice) le 0
redirect location {{ maintenance_url }} if NOT_ENOUGH_CAPACITY

We currently poll our autoscaling groups for any new/removed machines and update our haproxy config using a python script that runs every 4 minutes via a cron job. This is the method by which we’ve been updating our haproxy config since before I joined.

As an immediate need we are looking to find the best way to stop these maintenance pages during reloads so we tested out HAProxy Hitless Reloads. but we still have the issue of what seems to be no available backends on config reloads. I’m not 100% that we’ve properly configured it, but the following are exerpts from our configs.
Stats Socket:

stats socket /var/lib/haproxy/stats expose-fd listeners
Enabling master-worker
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 1000000
user haproxy
group haproxy
daemon
master-worker

Am I missing something here?

Posts: 1

Participants: 1

Read full topic

@lucid_thayne wrote:

What is the best way to delete a single cookie?

I tried

http-request replace-header Cookie mycookie=[^;]*(;\s*|$) ""

but then I get an error that http-request replace-header requires three parameters. Apparently it doesn’t recognise the empty string as a parameter . (at least on 1.7).

I was kind of surprised there doesn’t seem to be any built-in ways to manipulate cookies since haproxy already has to know how to parse cookies for the cook fetch.

What is the best way to delete an individual cookie?

Posts: 1

Participants: 1

Read full topic

@tasavi wrote:

haproxy.cfg

ssl crt / etc / haproxy / ssl / certs /

==========================

/etc/haproxy/ssl/certs/1.cert.pem
/etc/haproxy/ssl/certs/2.cert.pem

1.cert.pem (example.com)
notBefore = Sep 1 06:23:03 2016 GMT
notAfter = Nov 14 07:38:54 2018 GMT

2.cert.pem (example.com)
notBefore = Oct 29 09:15:10 2018 GMT
notAfter = Dec 14 07:38:54 2020 GMT

==========================

There are two certificates for the same domain as above.
I wonder if certificate # 2 is automatically answered when certificate # 1 expires.

I know I only need to use certificate # 2 for renewal, but I want to know how haproxy works under those conditions.

Please answer. Thanks.

Posts: 1

Participants: 1

Read full topic

@mdconner wrote:

I’m new to HAProxy and looking to simply re-direct http traffic to Tomcat on the same server - will add conditional logic latter.

Pertinent config includes:
frontend http_front
bind *:8082 # Port HAProxy uses
default_backend http_back

backend http_back
mode http
server localhost 127.0.0.1:8080 # Port used by Apache Tomcat

The redirect should go to http://127.0.0.1:8080/static/test.html which is served by Tomcat

I’ve tried various formats using the “redirect” and “http-request set-uri” commands to no avail. Any suggestions are appreciated.

Posts: 3

Participants: 2

Read full topic

@lucid_thayne wrote:

I would like to be able to do something like:

ACL myacl   hdr(Host) www.example.com && path /sample/path

Is there a way to do this? The only way to do this that I’ve been able to find is have multiple ACLs, and then combine them in a condition for an action. But that becomes very unwieldy if there are multiple cases for the ACL and/or if there are multiple actions that use the ACL (possibly combined with other ACLs or inline conditions).

Posts: 1

Participants: 1

Read full topic

@ARadauer wrote:

We have a lot RewriteRules in our Apache config files. Now we have to migrate these rules to haproxy.

For Example:

RewriteCond %{HTTP_HOST} ^app.mydomain. com*
RewriteRule ^/$ app.mydomain. com/app/startpath [R,L]

How could this be configured in haproxy? like this?

http-request redirect code 302 location https://app.mydomain. com/appPath if { path / and url_dom app.mydomain. com }

Can I use values from a regex expression in the location?

We have a lot of these rules:

RewriteRule ^/?products/(detail|edit)/(\S+)$ /p?$1=$2 [R=301,L]

where app.mydomain. com/products/detail/123 redirects to app.mydomain. com/p?detail=123

Can this be done in haproxy?

Thank you for your help

(the blank before the .com is because i’m getting the message “Sorry, new users can only put 2 links in a post.”)

Posts: 1

Participants: 1

Read full topic

@TheJacob wrote:

Hi all,
I have a problem with HAProxy configuration. Because my HAProxy isn’t in the same data center as my web server, I have working configuration to connect www-backend to my webserver’s HTTPS port. It all works just fine.

Well… Almost.

Today I tried to upload a file (250 kB) using a <form> and I got HTTP 413 Request entity too large. Checking the Apache server log, I’ve found two messages:

AH02018: request body exceeds maximum size (131072) for SSL buffer, referer: https://my.website.com/page

and

AH02257: could not buffer message body to allow SSL renegotiation to proceed, referer: https://my.website.com/page

I’ve done some investigation, found couple of old articles at stackoverflow, all recommending setting Apache’s SSLRenegBufferSize to something bigger. I don’t want to go that way.

I’ve tried to upload the file directly to webserver (bypassing HAProxy) and it works just fine.

Changing my server definition in www-backend from:

server server1 1.2.3.4:443 check ssl verify none

to

server server1 1.2.3.4:80 check

resolved the issue and I was able to upload the file while being connected through HAProxy.

However, I don’t like the possibility of a MITM attack between HAProxy and my www servers (however unlikely it is).

Is there a way to prevent the SSL renegotiation when user submits the form and uploads the file to the server?

My haproxy.cfg:

global
  log /dev/log local0 notice
  chroot /var/lib/haproxy

  stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
  stats timeout 30s

  user haproxy
  group haproxy
  daemon

  tune.ssl.default-dh-param 2048
  ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
  ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

defaults
  log global
  mode http

  option dontlognull
  option forwardfor
  option redispatch

  timeout connect 15000
  timeout client 50000
  timeout server 50000

frontend http-in
  bind :80
  bind *:443 ssl crt /etc/haproxy/certificate.pem

  option forwardfor
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  http-request set-header X-Forwarded-Port %[dst_port]

  # Redirect if HTTPS is *not* used
  redirect scheme https code 301 if !{ ssl_fc }

  # Test URI to see if its a letsencrypt request
  acl letsencrypt-acl path_beg /.well-known/acme-challenge/
  use_backend letsencrypt-backend if letsencrypt-acl

  default_backend www-backend

backend www-backend
  stick-table type ip size 200k expire 30m
  stick on src
  default-server inter 1s

  balance roundrobin

  server server1 1.2.3.4:80 check
  #server server1 1.2.3.4:443 check ssl verify none

Any help is much appreciated!

Posts: 1

Participants: 1

Read full topic

@alisampras wrote:

Hi All,

I am very new to HAProxy software. I had compile HAProxy 1.8.14 with SSL on CentOS 7.

Business Objective
Outside users (users travelling) should be able to access their email through front-end HAProxy and it should redirect the connection to my back-end Internal Exchange server 2010 for authentication and access:

1. OWA
2. Outlook Anyway
3. ActiveSync

My environment info:
Client: Uses OWA, Outlook Anywhere and mobile ActiveSync
Internal Server: MS Exchange 2010

User will access email (OWA, OA and ActiveSync) through front-end External Proxy (HAProxy) server (https://mail.example.com).
External DNS “A” record point to Public IP 202.100.100.10

My back-end Internal Exchange server is EX-01.example.com with internal IP 10.10.10.11

Please note, my email access will be secure https with SSL certificate.

Questions:

1. To achieve the above, what will be my full haproxy.cfg settings and with SSL?

2. What other necessary things i should do?

3. What log setting i need to add in haproxy.cfg file and where can i see the log files?

Look forward to some experience Expert help to fulfill my requirements.

Posts: 1

Participants: 1

Read full topic

@jpweiss wrote:

Hi everybody,
I try to setup haproxy as a reverse proxy to redirect web queries to different servers.
But I have a problem with wordpress servers under apache2 using rewrite rules to redirect hhtp queries to https.

On the client side I got a “The page isn’t redirecting properly” message
On the haproxy server I got this in the haproxy.log :

Nov  8 14:12:48 rproxy haproxy[1087]: 10.5.0.176:59316 [08/Nov/2018:14:12:48.122] https-in~ bk_webtest2/webtest2 0/0/0/1/1 301 548 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1"
Nov  8 14:12:48 rproxy haproxy[1087]: 10.5.0.176:59316 [08/Nov/2018:14:12:48.127] https-in~ bk_webtest2/webtest2 0/0/0/2/2 301 548 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1"
Nov  8 14:12:48 rproxy haproxy[1087]: 10.5.0.176:59316 [08/Nov/2018:14:12:48.165] https-in~ bk_webtest2/webtest2 0/0/0/1/1 301 548 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1"
Nov  8 14:12:48 rproxy haproxy[1087]: 10.5.0.176:59316 [08/Nov/2018:14:12:48.185] https-in~ bk_webtest2/webtest2 0/0/0/2/2 301 548 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1"
Nov  8 14:12:48 rproxy haproxy[1087]: 10.5.0.176:59316 [08/Nov/2018:14:12:48.198] https-in~ bk_webtest2/webtest2 0/0/0/1/1 301 548 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1"
Nov  8 14:12:48 rproxy haproxy[1087]: 10.5.0.176:59316 [08/Nov/2018:14:12:48.219] https-in~ bk_webtest2/webtest2 0/0/0/2/2 301 548 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1"

On the apache web server, I got this :

10.5.0.43 - - [08/Nov/2018:12:56:01 +0000] "GET / HTTP/1.1" 301 548 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
10.5.0.43 - - [08/Nov/2018:12:56:01 +0000] "GET / HTTP/1.1" 301 548 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
10.5.0.43 - - [08/Nov/2018:12:56:01 +0000] "GET / HTTP/1.1" 301 548 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
10.5.0.43 - - [08/Nov/2018:12:56:01 +0000] "GET / HTTP/1.1" 301 548 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
10.5.0.43 - - [08/Nov/2018:12:56:01 +0000] "GET / HTTP/1.1" 301 548 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"

Here is (part of) my haproxy.cfg :

[...]
frontend https-in
	mode http
	bind *:80
	bind *:443 ssl crt-list /etc/haproxy/crt-list.txt
	acl acl_webtest2 hdr(host) webtest2.pierrefitte93.fr
	use_backend bk_webtest2 if acl_webtest2

backend bk_webtest2
	mode http
	option httpchk
#	option forwardfor except 127.0.0.1
#	http-request redirect scheme https if ! { ssl_fc }
	server webtest2 10.5.0.87:80

And, finally, the apache2 rewrite rule :

#Redirect to SSL version

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Can anybody help me about this problem ?
Regards,
JPW

Posts: 1

Participants: 1

Read full topic

@Coros wrote:

I’m trying to configure a health check on my Jamf servers. I can successfully health check a 200 status but Jamf will return a 200 status prior to being ready to process client requests. During this time period the Jamf webpage shows a progress bar and then switches to a login page. I’m trying to do a string validation but I’ve been unable to match the content on the page.

Here’s a return from a curl request:
`

<!-- 508 -->

<head id="login">
  <meta http-equiv="Pragma" content="no-cache">
  <meta http-equiv="expires" content="0">
  <meta HTTP-EQUIV="content-type" CONTENT="text/html;charset=utf-8">
  <meta charset="utf-8" />
  <meta name="description" content="" />
  <meta name="author" content="JAMF Software" />
  <meta name="apple-mobile-web-app-title" content="Jamf Pro">
  <meta name="version" content="10.7.1-t1536934276">
  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
  <title>Jamf Pro Login - Jamf Pro v10.7.1-t1536934276</title>

  




<base href="&#x2f;">

<script type="text/javascript" id="setBaseHrefScript">

    var a = document.createElement('a');
    a.href = top.location + '';

    var path = a.pathname; // defaults to '/' if not set in top.location

    // Except in the case of IE, it may need '/' to be prepended.
    if (path.slice(0, 1) !== '/') {
        path = '/' + path;
    }
    var components = path.split('/');
    var context = '/';

    if (components.length > 1 && components[1] && components[1] !== 'view' && components[1] !== 'saml' && ! components[1].match(/^(.*\.html)|enroll?/)) {
        context += components[1] + '/';
    }

    var base = document.getElementsByTagName('base')[0];

    if (base) {
        var serverBaseHref = base.getAttribute('href');

        if (serverBaseHref !== context) {
            base.setAttribute('href', context);
        }
    } else {
        base = document.createElement('base');
        base.setAttribute('href', context);
        var script = document.getElementById('setBaseHrefScript');
        script.parentNode.insertBefore(base, script);
    }

</script>


  <!-- For non-Retina iPhone, iPod Touch, and Android 2.1+ devices: --><link rel="apple-touch-icon-precomposed" href="ui/images/touchicons/touch-icon-iphone.png"><!-- For first- and second-generation iPad: --><link rel="apple-touch-icon-precomposed" sizes="72x72" href="ui/images/touchicons/touch-icon-ipad.png"><!-- For iPhone with high-resolution Retina display: --><link rel="apple-touch-icon-precomposed" sizes="114x114" href="ui/images/touchicons/touch-icon-iphone-retina.png"><!-- For third-generation iPad with high-resolution Retina display: --><link rel="apple-touch-icon-precomposed" sizes="144x144" href="ui/images/touchicons/touch-icon-ipad-retina.png"><link rel="mask-icon" color="#8DC63F" href="ui/images/touchicons/JSS_pinned.svg"><link rel="icon" href="ui/images/jamf-32-32-favicon.ico">

<!--[if lt IE 9]>
  <script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script>
<![endif]-->

<!-- C:&#x2a; -->
  <!-- inject:css --><link rel="stylesheet" type="text/css" id="main-stylesheet-link" href="ui/styles/main.css?v=1536937816933"><!-- endinject --><!-- inject:js --><script src="ui/jamf.js?v=1536937816933"></script><!-- endinject --><!-- systemjs:js --><script src="ui/systemjs.config.js?v=1536937816933"></script><!-- endinject --><script>var isLogin = document.head.id === 'login';
    var isSetupAssistant = document.head.id === 'setupAssistant';
    var isStartup = document.head.id === 'startup' || document.head.id == 'activation';
    var config = 'ui/ui';

    if (isLogin) {
        config = 'ui/auth/loginApp';
    } else if (isSetupAssistant) {
        config = 'ui/setupAssistant/setupAssistant';
    } else if (isStartup) {
        config = 'ui/startup/startup';
    }

    var errorLogger = function (error) {
        console.error(error);
    };

    SystemJS.set('cache-buster', SystemJS.newModule({ 
        locate: function(load) {
            return load.address + '?v=1536937816933';
        }
    }));
    SystemJS.config({
        packages: {
            '.': {
                meta: { '*.js': { loader: 'cache-buster' } }
            }
        }
    });

    SystemJS.import(config).catch(errorLogger);</script><!-- non-npm:js --><script src="ui/jamf-non-npm.js?v=1536937816933"></script><!-- endinject -->
</head>

<body class="login-page">

  <div id="main-login-wrapper" class="unselectable " ng-controller="loginController as lc">
    <div id="login-wrapper" ng-class="lc.language">
      <div class="login-box">
        <div id="jamf-logo-login">
          <img src="ui/images/svg/logos/jamf-pro-color.svg" />
        </div>
        <form class="login-form" method="POST" name="f">
          <div id="login-panel">

            <div id="login-fields" ng-cloak>

              <span class="label" translate='INPUT_USERNAME' translate-default='Username'>&nbsp;</span>
              <input name="username" id="username" class="input" value="" autocapitalize="off" autocorrect="off"
                   ng-bind="lc.username" placeholder="ex. admin" />

              <div class="login-separator"></div>

              <span class="label" translate='INPUT_PASSWORD' translate-default='Password'>&nbsp;</span>
              <input name="password" id="password" class="input" type="password" autocomplete="off"
                   ng-bind="lc.password" placeholder="&#8226;&#8226;&#8226;&#8226;&#8226;&#8226;&#8226;&#8226;&#8226;&#8226;&#8226;&#8226;" />

              <button id="jssLoginButton" class="submit-button icon-arrow-1-circle-right button" type="submit" value="{{'LOG_IN' | translate}}"></button>

            </div> 

            <div id="reset-fields">

              <div class="reset-fields-lead">
                <p class="reset-header" translate='RESET_PASSWORD' translate-default='Reset Password'>&nbsp;</p>
                <p class="reset-body" translate="RESET_PASSWORD_INFO">&nbsp;</p>
              </div>
              <div class="login-separator"></div>

              <span class="label" translate='INPUT_USERNAME' translate-default='Username'>&nbsp;</span>

              <input name="resetUsername" id="resetUsername" class="input" value=""
                     autocapitalize="off" autocorrect="off" placeholder="ex. admin" />
              <input type="hidden" disabled="disabled" name="reset" value="reset" />

              <button class="submit-button icon-arrow-1-circle-right button"
                      type="button" value="{{'RESET_PASSWORD' | translate}}" id="reset" onclick="sendResetPassword()"></button>

            </div> 

            <div id="reset-sent-fields">
              <p class="reset-sent-header" translate='RESET_EMAIL_SENT' translate-default='Reset Email Sent'>&nbsp;</p>
              <p class="reset-sent-body" translate='CONTACT_JSS_ADMIN_MISSING_EMAIL' translate-default='Contact your Jamf Pro administrator if you do not receive it.'>&nbsp;</p>
              <i class="submit-button icon-check-circle" onclick="hideResetPassword()"></i>

              <div class="login-separator"></div>

              <span class="label" translate='INPUT_USERNAME' translate-default='Username'>&nbsp;</span>
              <input class="input" value=""
                     autocapitalize="off" autocorrect="off" placeholder="ex. admin" />
              <input type="hidden" disabled="disabled" name="reset" value="reset"/>
            </div> 

          </div> 
        </form>
      </div>
      <div class="reset-links-wrapper">
        <jamf-copyright></jamf-copyright>
        <div id="show-reset-link" class="reset-links" onclick="showResetPassword()">
          <a translate='RESET_PASSWORD' translate-default='Reset Password'>&nbsp;</a><i class="submit-button icon-arrow-2-circle-right"></i>
        </div>
        <div id="show-login-link" class="reset-links" onclick="hideResetPassword()">
          <i class="submit-button icon-arrow-2-circle-left"></i><a translate='LOGIN' translate-default='Login'>&nbsp;</a>
        </div>
      </div>
    </div>

  </div> 

  <script>

    function setDefaultField(){
        document.addEventListener("angularReady", function() {
            
            document.getElementById('username').focus();
            
        });
    }

    function showResetPassword(){
      document.getElementById("login-wrapper").className="show-reset-fields";
      document.getElementsByName("reset")[0].removeAttribute("disabled");
    }

    function hideResetPassword(){
      document.getElementById("login-wrapper").className="show-login-fields";
      document.getElementsByName("reset")[0].setAttribute("disabled", "true");
    }

    document.getElementById("reset").onclick = function() {
        document.forms['f'].submit();
    };
  </script>

</body>
</html>

I’ve also discovered this url that actually does have some content but it doesn’t seem to work when I try to match the string “Powered” or “Jamf” either:

    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html>
    	<head>
    		<meta http-equiv="cache-control" content="max-age=0" />
    		<meta http-equiv="cache-control" content="no-cache" />
    		<meta http-equiv="expires" content="0" />
    		<meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
    		<meta http-equiv="pragma" content="no-cache" />
    		<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
    		
    		
    			<link href="../stylesheets/bootstrap/css/bootstrap.min.css" rel="stylesheet" />
    			<link type="text/css" rel="stylesheet" href="../stylesheets/enrollment.css" />
    		
    		<link type="text/css" rel="stylesheet" href="../stylesheets/enrollmentBase.css" />
    		
    		<meta content="minimum-scale=1.0, width=device-width, maximum-scale=0.6667, user-scalable=no" name="viewport" />
    		<script type="text/javascript" src="../javascripts/jquery/jquery.js"></script>
    		<script type="text/javascript" src="../javascripts/enrollment.js"></script>
    		<script type="text/javascript" src="../javascripts/jamf-ajaxTimeout.js"></script>
    		<script type="text/javascript" src="../javascripts/jamf-enrollment-monitor.js"></script>
    		<script type="text/javascript" src="../javascripts/jamf-enrollment-device.js"></script>
    		<title>Enroll Your Device</title>
    	
    		
    	</head>
    	
    	
    	<body>
    	
    	
    		<div class="container">
    			<div class="row">
    				<div class="col-md-3">
    				</div>
    				<div class="col-md-6">
    					<div class="jumbotron">
    						<form method="post" target="" name="f">
    							<input type="hidden" name="lastPage" value="unhandled.jsp" />
    							<input type="hidden" name="payload" id="payload" value="" />
    				
    							



    <style>
    .form-control-feedback{
    	top: 6px;
    }
    </style>

    <script>
    function toggleType(v){
    	document.getElementById("deviceType").value=v;
    	document.f.submit()
    }

    </script>

    	<input type="hidden" name="deviceType" id="deviceType" value="">
    	
    	<div class="form-group has-feedback">
    		<button class="btn btn-lg btn-default btn-block" type="button" onclick="javascript:toggleType('osx')">macOS</button>
    		<span id="osx-check" class="glyphicon glyphicon-ok form-control-feedback" style="display:none"></span>
    	</div>

    	<div class="form-group has-feedback">
    		<button class="btn btn-lg btn-default btn-block" type="button" onclick="javascript:toggleType('ios')">iOS</button>
    		<span id="ios-check" class="glyphicon glyphicon-ok form-control-feedback" style="display:none"></span>
    	</div>

    	<div class="form-group has-feedback">
    		<button class="btn btn-lg btn-default btn-block" type="button" onclick="javascript:toggleType('android')">Android</button>
    		<span id="android-check" class="glyphicon glyphicon-ok form-control-feedback" style="display:none"></span>
    	</div>

    	
    	
    						
    						</form>
    					</div>
    				</div>
    			</div>
    		</div>
    		
    		<footer class="footer">
    			Powered by <a href="https://www.jamf.com/" target="_blank">Jamf</a>
    		</footer>
    	
    	</body>`

Any ideas?

Posts: 1

Participants: 1

Read full topic