@anandtry wrote:

All my backends support h2. http health check is failing as it is using h2 and marking the members down. If I remove the health check then everything works fine .

How do I force the health check to happen on http/1.1 instead of h2.

backend backend_java
balance leastconn
option http-use-htx
option httpchk GET /healthcheck HTTP/1.1

    server default_1_java 1.1.1.1:443 check ssl verify none alpn h2,http/1.1

    server default_2_java 2.2.2.2:443 check ssl verify none alpn h2,http/1.1

Posts: 1

Participants: 1

Read full topic

@Mario wrote:

Hi, all

I have one IP Adress and one port 443
At the end I have four web applications
I use two domain name (www.domainsample1.com, www.domainsample2.com) and two context root (context_root_1, context_root_2) to backend mapping
I have path: request https -> nginx -> haproxy -> http application
It works until I try to use client certificate authentication
When I add client certificate authentication I get error “1: SSL handshake failure” and client browser do not even try to ask questions about the use of the certificate.
When I test it without nginx (https -> haproxy -> http application ) I can authenticate with a client certificate but I get a 400 error when displaying the application page.
Any help or suggestions are appreciated.
Thanks!

config haproxy:

global
# log 127.0.0.1 local1 notice
log localhost:514 local0
stats timeout 30s
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048
stats socket /var/run/haproxy.sock mode 666 level admin
stats timeout 2m
stats bind-process 1
nbproc 2
cpu-map 1 0
cpu-map 2 1

defaults
log global
option dontlognull
option httplog
balance leastconn
timeout client 60000
timeout server 60000
timeout connect 5000
retries 3
option redispatch

frontend demo
mode http
acl context_root_1 path_beg /context_root_1
acl context_root_2 path_beg /context_root_2
acl domainsample1 hdr(Host) www.domainsample1.com
acl domainsample2 hdr(Host) wwww.domainsample2.com
bind 172.16.10.1:443 ssl crt /etc/pki/tls/certs/domainsample1.pem crt /etc/pki/tls/certs/domainsample2.pem ca-file /etc/pki/tls/certs/CA.cer verify required
http-request set-header X-SSL %[ssl_fc]
http-request set-header X-SSL-Client-Cert %[ssl_fc_has_crt]
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-Not-After %{+Q}[ssl_c_notafter]
use_backend bk_context_root_1_demo_domainsample1 if domainsample1 context_root_1
use_backend bk_context_root_1_demo_domainsample2 if domainsample2 context_root_1
use_backend bk_context_root_2_demo_domainsample1 if domainsample1 context_root_2
use_backend bk_context_root_2_demo_domainsample2 if domainsample2 context_root_2

backend bk_context_root_1_demo_domainsample1
mode http
server server1 172.16.10.2:5071 check
reqirep ^([^\ :])\ /context_root_1/(.) \1\ /\2

backend bk_context_root_1_demo_domainsample2
mode http
server server2 172.16.10.3:5071 check
reqirep ^([^\ :])\ /context_root_1/(.) \1\ /\2

backend bk_context_root_2_demo_domainsample1
mode http
server server1 172.16.10.2:5070 check
reqirep ^([^\ :])\ /context_root_2/(.) \1\ /\2

backend bk_context_root_2_demo_domainsample2
mode http
server server2 172.16.10.3:5070 check
reqirep ^([^\ :])\ /context_root_2/(.) \1\ /\2

haproxy -vv

HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau willy@haproxy.org

Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1

Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200

Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
Running on OpenSSL version : OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND

Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.

Posts: 1

Participants: 1

Read full topic

@shamsimam wrote:

I am using HA-Proxy version 1.9.4 2019/02/06 for proxying HTTP/2 cleartext (h2c) traffic to a h2c backend. I am however seeing HA-Proxy set the :scheme https when proxying the request. When I hit the backend directly, the :scheme is set to http. I have verified this using wireshark (please see attached images).

Any suggestions on what I should change in my configuration so that I can set to make sure that the :scheme gets set to http while proxying the request?

I am using curl 7.54.0 to make requests:
$ curl --http2-prior-knowledge http://localhost:9090

My HA-Proxy config file:
global
maxconn 4096
daemon

defaults
log global
option http-use-htx
timeout connect 10s
timeout client 30s
timeout server 30s
maxconn 3000

frontend waiter
mode http
bind *:9090 proto h2
default_backend local_node

backend local_node
mode http
server localhost localhost:8080 proto h2

nginx-via-haproxy.png1272×1136 156 KB

nginx-direct.png1452×1062 153 KB

haproxy-config-image.png658×756 40.1 KB

Posts: 1

Participants: 1

Read full topic

@wuppi wrote:

I am running an apache webserver and on the same host a propriatry websocket server who listens on port 8181 for incoming websocket calls.

The client is a browser, loading down a website from the apache on port 80 and the javascript inside the website opens the websocket connection to the websocket servers.

For various reasons I would now like to make the websocket call on the same port 80.

In order to route the traffic I would like to set up an HAProxy on the host who listens on the port 80. For this purpose I would change the Apache port to 8000 for instance.

HAProxy is now expected to listen on port 80 for incoming traffic and route it to port 8000 (apache) if it is http and to port 8181 if it is websocket traffic

However, I am doing hard with the configuration as I am completely novice in haproxy.
At least the websocket traffic does not get routed to the websocket server with the following configuration

Any idea, why? The configuration so far looks like

global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 2000
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon

defaults
log global
mode http
option httplog
option dontlognull
option http-server-close
option forwardfor
retries 3
maxconn 2000
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend public
bind *:80
maxconn 60000
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
use_backend ws if is_websocket
default_backend www

backend www
timeout server 30s
server www1 127.0.0.1:8000
option http-server-close

backend ws
timeout server 600s
server ws1 127.0.0.1:8181

Best regards Wuppi

Posts: 1

Participants: 1

Read full topic

@c1s wrote:

Has anyone configured HAProxy for use with two Barracuda Email Gateways? We have two gateways in a cluster and would like to either LB or HA the two devices. Im having issues figuring out a good way to do this. The problem is all traffic related to 25/443/587 hit the public IP pointed to the barracuda. Not sure how this would be done using HAProxy. Any help would be highly appreciated!

Im trying to figure out a way to forward the client’s IP to the barracuda. This is needed in order to determine traffic /whitelisting etc.

Thank you!

Posts: 1

Participants: 1

Read full topic

@nazris wrote:

my config, please help

---

Example configuration for a possible web application. See the

full configuration options online.

http://haproxy.1wt.eu/download/1.8/doc/configuration.txt

#---------------------------------------------------------------------

#---------------------------------------------------------------------

Global settings

#---------------------------------------------------------------------
global
# to have these messages end up in /var/opt/rh/rh-haproxy18/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the ‘-r’ option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/opt/rh/rh-haproxy18/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
# local2.* /var/opt/rh/rh-haproxy18/log/haproxy.log
#
log 127.0.0.1 local2

chroot      /var/opt/rh/rh-haproxy18/lib/haproxy
pidfile     /var/run/rh-haproxy18-haproxy.pid
maxconn     4000
user        haproxy
group       haproxy
daemon

# turn on stats unix socket
stats socket /var/opt/rh/rh-haproxy18/lib/haproxy/stats

# utilize system-wide crypto-policies
ssl-default-bind-ciphers PROFILE=SYSTEM
ssl-default-server-ciphers PROFILE=SYSTEM

#---------------------------------------------------------------------

common defaults that all the ‘listen’ and ‘backend’ sections will

use if not designated in their block

#---------------------------------------------------------------------
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

#---------------------------------------------------------------------

main frontend which proxys to the backends

#---------------------------------------------------------------------
frontend main
bind *:80
acl url_static path_beg -i /static /images /javascript /stylesheets
acl url_static path_end -i .jpg .gif .png .css .js
acl acl_myApp path_sub ebid

use_backend static          if url_static
default_backend            app

#---------------------------------------------------------------------

static backend for serving up images, stylesheets and such

#---------------------------------------------------------------------
backend static
balance roundrobin
server static 127.0.0.1:4331 check

#---------------------------------------------------------------------

round robin balancing between the various backends

#---------------------------------------------------------------------
backend app
reqrep ^GET\ /(.*) GET\ /ebid/\1
balance roundrobin
server app1 app1:80 check
server app2 app2:80 check

Posts: 1

Participants: 1

Read full topic

@natali wrote:

Hello everyone
I am trying to configure a sample of HAProxy and I am running into some difficults…
part of the configuration:
frontend firstbalance
bind *:80
option forwardfor
default_backend webservers

backend webservers
balance roundrobin
server web1 172.217.21.238
server web2 98.138.219.232

Problem 1- when I change the port " bind *:80 " to another port, the service is OK but I can’t reach nothing. (when I google ip:port)

Problem 2- adding ‘check’ option makes the service failed

backend webservers
balance roundrobin
server web1 172.217.21.238 check
server web2 98.138.219.232 check

could you please help me solve this?
And if you have some tips for beginners that would be great

Posts: 1

Participants: 1

Read full topic

@machy wrote:

I am very new in this and I am trying to configure a load balancer for 2 web servers using HAProxy with 2 EC2 Instances. Let’s just say I can only work with 2 Instances, is it possible for me to hook this up with only 2 nodes?

I currently only have NodeA (x.x.x.1) and NodeB (x.x.x.2), I set up my HAproxy at NodeA listening to port 80. my full haproxy.cfg at NodeA looks like this.

    global
    log         /dev/log local0
    log         127.0.0.1 local0
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon
    stats socket /var/lib/haproxy/stats

defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

    errorfile 503 /etc/haproxy/errorfiles/503.http

frontend http-in
    mode http
    bind *:80

    default_backend webservers


backend webservers
    mode http
    balance roundrobin
    server NodeA x.x.x.1 check port 80
    server NodeB x.x.x.2 check port 80

as you can see from the configuration above, the load balancing doesn’t work because i cannot start up my Apache on NodeA because HAPorxy is taking up Port80. and I can only get NodeB but not NodeA.

I have tried changing the HAporxy port to listening to other port: Failed.
I have also tried changing my Apache Port to other port and have NodeA looks something like

frontend http-in
        mode http
        bind *:80 
    
        default_backend webservers
    
    backend webservers
        mode http
        balance roundrobin
        server NodeA x.x.x.1:81 check
        server NodeB x.x.x.2:81 check

but failed as well. I am now getting a 404 Bad Request at my browser.

some logs from HAProxy

   x.x.x.1:53006 [18/Mar/2019:01:27:57.789] http-in webservers/NodeA 0/0/0/43/43 400 168 - - ---- 6/6/6/6/+1 0/0 "GET / HTTP/1.1"n 
x.x.x.1:53002 [18/Mar/2019:01:27:57.788] http-in webservers/NodeA 0/0/0/43/43 400 168 - - ---- 5/5/5/5/+1 0/0 "GET / HTTP/1.1"n 
x.x.x.1:52998 [18/Mar/2019:01:27:57.788] http-in webservers/NodeA 0/0/0/44/44 400 168 - - ---- 4/4/4/4/+1 0/0 "GET / HTTP/1.1"n 
x.x.x.1:52994 [18/Mar/2019:01:27:57.787] http-in webservers/NodeA 0/0/0/44/44 400 168 - - ---- 3/3/3/3/+1 0/0 "GET / HTTP/1.1"n 
x.x.x.1:52990 [18/Mar/2019:01:27:57.787] http-in webservers/NodeA 0/0/0/45/45 400 168 - - ---- 2/2/2/2/+1 0/0 "GET / HTTP/1.1"n 
x.x.x.1:52986 [18/Mar/2019:01:27:57.786] http-in webservers/NodeA 0/0/0/45/45 400 168 - - ---- 1/1/1/1/+1 0/0 "GET / HTTP/1.1"n 
x.x.x.1:57534 [18/Mar/2019:01:27:52.344] http-in webservers/NodeA 5441/1/0/46/5718 400 168 - - ---- 1/1/0/0/+1 0/0 "GET / HTTP/1.1"n

I am not sure if I am understanding the right concept.

But essentially I am asking if it is possible to load balance with only 2 nodes,
(eg. NodeA running HAProxy and Apache, Node B as secondary server)

Would appreciate to know if my concept is wrong or any workaround with this set up.

Posts: 1

Participants: 1

Read full topic

@Fruityski wrote:

Hi There,
I am currently stuck with trying to forward a subdomain to ESXi.
I have changed the mode to TCP as the Web GUI already has a SSL Cert.

Here is my relevant conf:
frontend http_front
bind *:80
mode tcp
default_backend http_esxi

acl esxi_acl hdr_beg(host) -m beg sub1.domain.com
use_backend http_esxi if esxi_acl

backend http_esxi
mode tcp
server exsi 10.20.30.40:443 weight 1 maxconn 10240 check

Here is the error message I am getting:
“# 502 Bad Gateway
The server returned an invalid or incomplete response.”

I have read the previous thread “Forwarding VMWare workstation ports with HAProxy” and added what I thought was relevant conf, is there something obvious that I am missing?

I would appreciate any assistance with this.
Thanks Daniel

Posts: 1

Participants: 1

Read full topic

@pfbjorge1982 wrote:

Hi ppl,

i’m noob in haproxy and i’m having a bit difficulty to understand ACL deny’s

I need to deny the cache of any requests with type PDF and go direct to banckend servers.

Thanks in advance
PJ

Posts: 1

Participants: 1

Read full topic

@andrey090594 wrote:

Hello, we have problems with haproxy 1.9.4 when working with grpc.

We use bidirectional streaming of data and receive this error every 30 seconds (it’s timeout server in our configuration).

io.grpc.StatusRuntimeException: UNAVAILABLE: HTTP status code 504
invalid content-type: text/html
headers: Metadata(:status=504,cache-control=no-cache,content-type=text/html)
DATA-----------------------------
<html><body><h1>504 Gateway Time-out</h1>
The server didn't respond in time.
</body></html>
DATA-----------------------------

Our configuration:

defaults
	log	global
	mode	http
	option	httplog
	option  socket-stats
	option  logasap 
	option  http-use-htx
    option  forwardfor
	timeout connect 30000
    timeout client  30s
    timeout server  30s
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http

frontend main-http-grpc
    description  http:8080,grpc:9090 
	option  http-use-htx
    option forwardfor
	bind *:8080 name main-http 
	bind *:9090 name main-grpc proto h2
	acl http dst_port eq 8080
	acl grpc dst_port eq 9090

	use_backend  testhost if http { hdr_beg(host) -i testhost.local }
	use_backend  testhost-grpc if grpc { hdr_beg(host) -i testhost.local }

backend testhost
        description  http
        option forwardfor
        option httpchk OPTIONS /status
        server testhost1 10.10.10.1:8080 check
        server testhost2 10.10.10.2:8080 check backup disabled

backend testhost-grpc
	option http-use-htx
    description grpc
    server testhost1 11.11.11.1:50051 proto h2 track testhost/testhost1
    server testhost2 11.11.11.2:50051 proto h2 track testhost/testhost2 backup disabled

What could be the problem?
Thanks in advance.

Posts: 1

Participants: 1

Read full topic

@Thoufiq wrote:

i have a HAProxy cluster whic is acting as active backup with the help of Keepalived. Can we make the secondary node to sync the configuration with primary node and updates it configuration as same us primary?

Posts: 1

Participants: 1

Read full topic

@yorozen wrote:

Hi,
I have a script in F5 and i want to convert it to haproxy cfg , and I can’t find how to do it:
when HTTP_REQUEST {
HTTP::collect 50
}
when HTTP_REQUEST_DATA {
if {[HTTP::payload] contains “\214\203\230C1”} {
pool SERVER_POOL1
}
elseif {[HTTP::payload] contains “\214\205\230C1”} {
pool SERVER_POOL1
}
elseif {[HTTP::payload] contains “\214\203\230C2”} {
pool SERVER_POOL2
}
elseif {[HTTP::payload] contains “\214\205\230C2”} {
pool SERVER_POOL2
}
else {
pool SERVER_TRAFFIC
}
}

Can anyone assist me.

Yoni

Posts: 1

Participants: 1

Read full topic

@oweir29 wrote:

global
	tune.ssl.default-dh-param 2048
defaults
	log 127.0.0.1:514 user
	timeout connect 5000ms
	timeout client 5000ms
	timeout server 5000ms
	mode http
	option httplog
listen reverse-proxy
	bind 127.0.0.1:80
	acl test_acl hdr_end(host) -i wikipedia.org
	use_backend wikipedia if test_acl
backend wikipedia
	server wikipedia-server 208.80.153.224:443 ssl verify required ca-file /home/test/haproxy-certificate/GlobalSignRootCA.crt

For example www.wikipedia.org , I try to export the root CA of www.wikipedia.org from Firefox but it doesn’t work and complain with one haproxy 503 page.
If I export the whole certification chain of *.wikipedia.rog it is works, but I just want to verify the root CA because root CA almost never expired.

Posts: 1

Participants: 1

Read full topic

@nbraetter wrote:

Hi, i need help in Converting an nginx Config to an HaProxy Backend.
I dont have the neccessary knowledge to do this but this is our Only Configuration in HaProxy that i didnt get to work.

We have HaProxy 1.7 in Place and get this Nginx Config.

server {
listen :80;
server_name merkur-stylo.vrsmedia.de;
access_log /var/log/nginx/stylotest.log;
location / {
proxy_pass http:// http://10.32.2.228:8080/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}

My HaProxy Backend shows the following Code but It`s not working.

backend merkur_stylo
balance source
mode http
option forwardfor header X-Real-IP
http-request set-header Host 10.32.2.228
http-request set-header X-Forwarded-Host 10.32.2.228
http-request set-header X-Forwarded-Proto http
server merkur-stylo 10.32.2.228:8080 check inter 5000

The URL can be tested with merkur-stylo.vrsmedia.de/stylo
But the Editor cant found the neccessary Pictures but its available.

The Stylo is bound via vpn Gateway and is in original only available due to the internal Network from our Publisher.

Can anybody help me to Convert this to an working HaProxy Backend ?

Thank you.

Posts: 1

Participants: 1

Read full topic

@Ajay wrote:

Not sure what am I missing here, but the traffic is not getting redirected. Below is the haproxy config that I am using.

Trying to redirect 11210 and 8091 port traffic to set of target servers.

And I am running this from the container, and when I point my app code to run on docker IP it’s trying to connect to docker IP (haproxy), instead of redirecting to backend server mentioned in the haproxy.

Any help or pointers to move forward would be appreciated

global
    daemon
    maxconn 256

defaults
    timeout connect 5000ms
    timeout client 50000ms
    timeout server 50000ms

frontend haproxynode
    bind *:11210
    default_backend servers

frontend haproxynode8091
    bind *:8091
    default_backend servers

backend servers
    mode tcp
    balance roundrobin
  # server server1 127.0.0.1:8000 maxconn 32
    server node1 <ip> check
    server node2 <ip-2> check

Posts: 1

Participants: 1

Read full topic

@Yogui wrote:

I have a problem … like everyone who writes here.

I would like to redirect all ports 80,8000,443,8001,12307,12308,808,2195,1433

persistently between one of the three servers and the client.
without port forwarding

my configuration

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon

Default SSL material locations

ca-base /etc/ssl/certs
crt-base /etc/ssl/private

Default ciphers to use on SSL-enabled listening sockets.

For more information, see ciphers(1SSL). This list is from:

https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/

ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!D$
ssl-default-bind-options no-sslv3

defaults
log global

mode http

option httplog

option tcplog
timeout client 1h
listen toto-va
bind *:80
bind *:443
bind *:8000
bind *:8001
bind *:2195
bind *:12307
bind *:12308
bind *:1433
bind *:4242

mode tcp
balance source
option httpchk
server toto-VA-Web1 127.0.0.185 check
server toto-VA-Web2 127.0.0.186 check
server toto-VA-Web3 127.0.0.187 check

listen stats # Define a listen section called “stats”
bind :9000 # Listen on localhost:9000
mode http
stats enable # Enable stats page
stats hide-version # Hide HAProxy version
stats realm Haproxy\ Statistics # Title text for popup window
stats uri /haproxy_stats # Stats URI
#stats auth root:pwd # Authentication credentials

Posts: 1

Participants: 1

Read full topic

@dlafuente wrote:

Hi there!!

I am using HAProxy over TCP so solve the TLS negotiation so that my app downstream can deal with a clean TCP connection. I require client certificates in the incoming TLS connections and then my app uses the common name of the client certificate to identify the customer. My problem is: since TLS is negotiated and solved by HAProxy, I can’t find a way to forward that information (client’s certificate common name) to my app. I’ve seen in some HTTP examples how that kind of information can be forwarded using HTTP headers, but I am not using HTTP, just TCP. Is there any way to do it using TCP?

Thanks for your help!!

Diego.

Posts: 1

Participants: 1

Read full topic

@nbraetter wrote:

Hi, is it possible to send an Page Request driect to SSL without http request ? And the second Question ! We want to mark non existent Pages via HaProxy with an 510 error.

We get some Trouble about this. We have an user registered Page wich is not existent anymore. Google removal takes some time to remove the Page with an 404 error. So we want to mark those Pages with an 510 redirect.

Thank you for the short help.

Best Regards
Nicolay

Posts: 1

Participants: 1

Read full topic

@fatruden wrote:

Hi folks.

I override CORS on haproxy level for some origin.

I use next rules:

frontend
        ...
	http-request set-var(txn.origin) req.hdr(Origin)
	acl override_cors var(txn.origin) -m end -i console.XXX
	acl override_cors var(txn.origin) -m sub -i console.XXX
	http-request set-var(txn.override_cors) bool(false) unless override_cors
	http-request set-var(txn.override_cors) bool(true) if override_cors
        use_backend backend

backend
        ...
	http-response add-header Vary Origin if { var(txn.origin) -m len gt 1 }
	acl override_cors var(txn.override_cors),bool
	acl res_status_403 status eq 403
	http-response set-status 200 if res_status_403 override_cors METH_OPTIONS
	http-response set-header Content-Length 0 if override_cors METH_OPTIONS
	http-response set-header Access-Control-Allow-Headers origin,\ content-length,\ content-type,\ content-md5 if override_cors
	http-response set-header Access-Control-Allow-Origin %[var(txn.origin)] if override_cors
	http-response set-header Access-Control-Allow-Methods GET,\ HEAD,\ POST,\ OPTIONS,\ PUT,\ DELETE if override_cors
	http-response set-header Access-Control-Max-Age 600 if override_cors
        ...

it works perfectly but my real backend server sends me back 403 with some xml-body. As you can see, i override headers but body sands to clients as is.

How can i drop the body of real server response? Or how can i do not send request to the real server?

haproxy version is 1.8.8 without LUA.

Posts: 1

Participants: 1

Read full topic