A 'http-request' rule placed after a 'redirect' rule will still be processed before

Help!
1

Hi,

Getting the below message in haproxy log. could some one suggest me what went wrong.
a ‘http-request’ rule placed after a ‘redirect’ rule will still be processed before.

haproxy version:2.8
My configuration file

global
daemon
maxconn 1000
chroot /var/lib/haproxy
log /dev/log local0
log /dev/log local1 notice
tune.ssl.default-dh-param 2048

defaults
log global
option httplog
mode tcp
retries 3
timeout client 30m
timeout connect 10m
timeout server 30m
timeout check 100s
option forwardfor
option http-server-close
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend httpOrHttps-in
bind *:80
bind *:443 ssl crt /etc/haproxy/ssl/certs
option forwardfor
http-request set-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https code 301 if !{ ssl_fc }
mode http
acl host_abc_dev_ui hdr(host) -i hello-dev.com
use_backend abc_dev_server_ui if host_abc_dev_ui

backend abc_dev_server_ui
redirect scheme https if !{ ssl_fc }
mode http
server ui-ip xx.xx.xxx.xxx:8081 check
http-request set-header X-Forwarded-Port 443
http-request add-header X-Forwarded-Proto https

Thanks

2

Can you elaborate the actual problem here?

It is difficult to understand what real problem you have here, since you have duplicated configuration in back and frontends.

When you redirect HTTP to HTTPS, your backend server will not see any requests from the HTTP at all, haproxy will not even forward it, because it will send a redirect instead. So you will always see X-Forwarded-Proto: https on your backend server.

3

Hi @lukastribus

If possible can you please correct my config file if it is wrong and also you said it is duplicated
I am getting warning errors in my haproxy logs as below. Even though they say warning i am suspecting something wrong hence seeking help

Feb 09 13:24:38 haproxy-server systemd[1]: Started HAProxy Load Balancer.
Feb 9 13:24:38 haproxy-server haproxy[5006]: [WARNING] (5006) : config : parsing [/etc/haproxy/haproxy.cfg:42] : a ‘http-request’ rule placed after a ‘redirect’ rule will still be processed before.
Feb 9 13:24:38 haproxy-3-secondary haproxy[5006]: [WARNING] (5006) : config : parsing [/etc/haproxy/haproxy.cfg:43] : a ‘http-request’ rule placed after a ‘redirect’ rule will still be processed before.

Thanks
kumar

4

In the non HTTP case, the headers you add are irrelevant, because only a redirect is created anyway, also, you need exactly 1 redirect statement, not 2 or 3.

frontend httpOrHttps-in
 bind *:80
 bind *:443 ssl crt /etc/haproxy/ssl/certs
 option forwardfor
 http-request set-header X-Forwarded-Port 443
 http-request set-header X-Forwarded-Proto https
 redirect scheme https code 301 if !{ ssl_fc }
 mode http
 acl host_abc_dev_ui hdr(host) -i hello-dev.com
 use_backend abc_dev_server_ui if host_abc_dev_ui

backend abc_dev_server_ui
 mode http
 server ui-ip xx.xx.xxx.xxx:8081 check

However to make this more obvious and the configuration easier to read, I suggest separating the frontends, so you see immediately what is actually happening:

frontend http
 bind *:80
 mode http
 redirect scheme https code 301

frontend https
 bind *:443 ssl crt /etc/haproxy/ssl/certs
 mode http
 option forwardfor
 http-request set-header X-Forwarded-Port 443
 http-request set-header X-Forwarded-Proto https
 acl host_abc_dev_ui hdr(host) -i hello-dev.com
 use_backend abc_dev_server_ui if host_abc_dev_ui

backend abc_dev_server_ui
 mode http
 server ui-ip xx.xx.xxx.xxx:8081 check
5

Hi @lukastribus

Thanks a lot for your help. Will check and get back to you if have any questions

Thanks

6

Hi @lukastribus

After doing the changes as you told warning messages are not comming and now I am not seeing haproxy logs over /var/log/haproxy.log or /var/log/syslog
I am using ubuntu22

7

The global and defaults section need to stay as is. Do not remove them. I only posted the frontend and backend part.

8

Fixed!

1 Like