Hello I have a https / http frontend which accesses an http backend.
Basically I want to limit the frontent to https. The problem, however, is that the web service repeatedly generates a POST 400 (BAD REQUEST) error when called up via https when I open the page via my web browser.
Here is my configuration:
global
maxconn 5000
log /var/run/log local0 debug
stats socket /tmp/haproxy.socket level admin expose-fd listeners
uid 80
gid 80
nbproc 1
nbthread 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
server-state-file /tmp/haproxy_server_state
listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000
frontend NachOpenVPN_HTTPS-aus_LAN
bind 10.4.4.239:443 name 10.4.4.239:443 no-sslv3 ssl crt-list /var/etc/haproxy/NachOpenVPN_HTTPS-aus_LAN.crt_list
bind 10.4.4.239:80 name 10.4.4.239:80
mode http
log global
option socket-stats
option log-separate-errors
option httplog
option http-keep-alive
option forwardfor
acl https ssl_fc
http-request set-header X-Forwarded-Proto http if !https
http-request set-header X-Forwarded-Proto https if https
timeout client 7200000
acl DL_thorstenACL var(txn.txnhost) -m str -i vpn.schulte-batenXXX.de
http-request set-var(txn.txnhost) hdr(host)
use_backend DLthorsten-ohne-passwort_ipvANY if DL_thorstenACL aclcrt_NachOpenVPN_HTTPS-aus_LAN
backend DLthorsten-ohne-passwort_ipvANY
mode http
id 106
log global
stick-table type ip size 50k expire 30m
stick on src
timeout connect 30000
timeout server 30000
retries 3
server DL_Thorsten 10.4.4.10:1731 id 111
Log from haproxy:
May 15 05:54:47 haproxy[92018]: 10.4.4.241:62950 [15/May/2020:05:54:47.424] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/0/5/5 400 130 - - ---- 6/6/5/5/0 0/0 "POST /socket.io/?EIO=3&transport=polling&t=N8MU63L&sid=ec5b759b878a4dfcac0b96b29893255b HTTP/1.1"
May 15 05:54:47 haproxy[92018]: 10.4.4.241:62881 [15/May/2020:05:54:17.061] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/0/-1/30027 504 218 - - sH-- 6/6/5/5/0 0/0 "GET /socket.io/?EIO=3&transport=polling&t=N8MT-fV&sid=2fc24b8c6e3d4a2d8ac1850799d3b1b7 HTTP/1.1"
May 15 05:54:46 haproxy[92018]: 10.4.4.241:62939 [15/May/2020:05:54:46.763] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/0/5/5 400 130 - - ---- 6/6/5/5/0 0/0 "POST /socket.io/?EIO=3&transport=polling&t=N8MU5va&sid=ec5b759b878a4dfcac0b96b29893255b HTTP/1.1"
May 15 05:54:46 haproxy[92018]: 10.4.4.241:62948 [15/May/2020:05:54:46.652] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/1/5/8 101 138 - - ---- 7/7/5/5/0 0/0 "GET /socket.io/?EIO=3&transport=websocket&sid=ec5b759b878a4dfcac0b96b29893255b HTTP/1.1"
May 15 05:54:46 haproxy[92018]: 10.4.4.241:62939 [15/May/2020:05:54:44.220] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/0/2242/2245 200 59965 - - ---- 6/6/5/5/0 0/0 "GET /socket.io/?EIO=3&transport=polling&t=N8MU3d3 HTTP/1.1"
May 15 05:54:44 haproxy[92018]: 10.4.4.241:62939 [15/May/2020:05:54:44.205] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/1/7/8 400 130 - - ---- 6/6/5/5/0 0/0 "POST /socket.io/?EIO=3&transport=polling&t=N8MU37u&sid=7fe4c58f5d7a4297a1f9ca307c0eef55 HTTP/1.1"
May 15 05:54:44 haproxy[92018]: 10.4.4.241:62868 [15/May/2020:05:54:14.142] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/0/-1/30028 504 218 - - sH-- 6/6/5/5/0 0/0 "GET /socket.io/?EIO=3&transport=polling&t=N8MTzxt&sid=0c793cecac2245c3b28d6ee7901c2f7f HTTP/1.1"
May 15 05:54:35 haproxy[92018]: 10.4.4.241:62921 [15/May/2020:05:54:34.965] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/0/4/44 400 130 - - ---- 6/6/5/5/0 0/0 "POST /socket.io/?EIO=3&transport=polling&t=N8MU31C&sid=7fe4c58f5d7a4297a1f9ca307c0eef55 HTTP/1.1"
May 15 05:54:34 haproxy[92018]: 10.4.4.241:62923 [15/May/2020:05:54:34.930] NachOpenVPN_HTTPS-aus_LAN~ DLthorsten-ohne-passwort_ipvANY/DL_Thorsten 0/0/1/6/8 101 138 - - ---- 7/7/5/5/0 0/0 "GET /socket.io/?EIO=3&transport=websocket&sid=7fe4c58f5d7a4297a1f9ca307c0eef55 HTTP/1.1"
haproxy -vv
[2.4.4-RELEASE][root@pfSense.localdomain]/root: haproxy -vv
HA-Proxy version 2.0.14 2020/04/02 - https://haproxy.org/
Build options :
TARGET = freebsd
CPU = generic
CC = cc
CFLAGS = -O2 -pipe -fstack-protector-strong -fno-strict-aliasing -fno-strict- aliasing -Wdeclaration-after-statement -fwrapv -Wno-address-of-packed-member -Wn o-unused-label -Wno-sign-compare -Wno-unused-parameter -Wno-ignored-qualifiers - Wno-missing-field-initializers -Wno-implicit-fallthrough -Wtype-limits -Wshift-n egative-value -Wnull-dereference -DFREEBSD_PORTS
OPTIONS = USE_PCRE=1 USE_PCRE_JIT=1 USE_REGPARM=1 USE_STATIC_PCRE=1 USE_GETADD RINFO=1 USE_OPENSSL=1 USE_LUA=1 USE_ACCEPT4=1 USE_ZLIB=1 USE_CPU_AFFINITY=1
Feature list : -EPOLL +KQUEUE -MY_EPOLL -MY_SPLICE -NETFILTER +PCRE +PCRE_JIT -P CRE2 -PCRE2_JIT +POLL -PRIVATE_CACHE +THREAD -PTHREAD_PSHARED +REGPARM +STATIC_P CRE -STATIC_PCRE2 +TPROXY -LINUX_TPROXY -LINUX_SPLICE +LIBCRYPT -CRYPT_H -VSYSCA LL +GETADDRINFO +OPENSSL +LUA -FUTEX +ACCEPT4 -MY_ACCEPT4 +ZLIB -SLZ +CPU_AFFINI TY -TFO -NS -DL -RT -DEVICEATLAS -51DEGREES -WURFL -SYSTEMD -OBSOLETE_LINKER -PR CTL -THREAD_DUMP -EVPORTS
Default settings :
bufsize = 16384, maxrewrite = 1024, maxpollevents = 200
Built with multi-threading support (MAX_THREADS=64, default=4).
Built with OpenSSL version : OpenSSL 1.0.2t-freebsd 10 Sep 2019
Running on OpenSSL version : OpenSSL 1.0.2o-freebsd 27 Mar 2018 (VERSIONS DIFFE R!)
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : SSLv3 TLSv1.0 TLSv1.1 TLSv1.2
Built with Lua version : Lua 5.3.5
Built with transparent proxy support using: IP_BINDANY IPV6_BINDANY
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"), deflate("deflate"), raw -deflate("deflate"), gzip("gzip")
Built with PCRE version : 8.43 2019-02-23
Running on PCRE version : 8.43 2019-02-23
PCRE library supports JIT : yes
Encrypted password support via crypt(3): yes
Available polling systems :
kqueue : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use kqueue.
Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
h2 : mode=HTTP side=FE mux=H2
h2 : mode=HTX side=FE|BE mux=H2
<default> : mode=HTX side=FE|BE mux=H1
<default> : mode=TCP|HTTP side=FE|BE mux=PASS
Available services : none
Available filters :
[SPOE] spoe
[COMP] compression
[CACHE] cache
[TRACE] trace
Log from Chrome:
VM41:1 POST https://vpn.schulte-batenXXX.de/socket.io/?EIO=3&transport=polling&t=N8MUv9n&sid=546c263979164fca9e7eae654fa4d92c 400 (BAD REQUEST)
I only open the page via http there are no problems.
2 posts - 2 participants