ADFS http-check

jean-marc.vuithier · August 11, 2020, 6:02am

I try to configure HA-Proxy 2.2.1 with an ADFS on the backend. is working but the haproxy.log show me an “warning” to use an another syntax.

parsing [/etc/haproxy/haproxy.cfg:116]: ‘option httpchk’ : hiding headers or body at the end of the version string is deprecated. Please, consider to use ‘http-check send’ directive instead.
not able to use the http-check someone have a syntax example ? below my backend configuration:

backend bk_adfs
mode http
option forwardfor header X-Client
option http-keep-alive
log /dev/log local0 debug
timeout connect 30000
timeout server 30000
balance roundrobin
option httpchk GET /adfs/ls/IdpInitiatedSignon.aspx HTTP/1.0\r\n
http-check expect string Sign\ in
stick-table type ip size 200k expire 30m
stick on src
server adfs01 172.20.1.202:443 ssl verify none check-sni server1.mydomain.com sni ssl_fc_sni

Thanks in advance for your help

lukastribus · August 11, 2020, 10:09am

Just removing the trailing \r\n should be enough here, I don’t think this option was deprecated in its entirety (just using it with \r\n to add additional headers - which you are not even doing).

http-check send should be as simple as:

http-check send GET /adfs/ls/IdpInitiatedSignon.aspx HTTP/1.0

jean-marc.vuithier · August 11, 2020, 4:21pm

Hello Lukas,

Is not working the syntax is wrong unfortunately

parsing [/etc/haproxy/haproxy.cfg:117] : ‘http-check send’ : expects ‘comment’, ‘meth’, ‘uri’, ‘uri-lf’, ‘ver’, ‘hdr’, ‘body’ or ‘body-lf’ but got ‘GET’ as argument.

other idea ?

Cheers

lukastribus · August 11, 2020, 8:32pm

Right, must be this then:

http-check send meth GET uri /adfs/ls/IdpInitiatedSignon.aspx ver HTTP/1.0

jean-marc.vuithier · August 11, 2020, 8:59pm

not better always a warning
config : backend ‘bk_adfs’ uses http-check rules without ‘option httpchk’, so the rules are ignored.

jean-marc.vuithier · August 11, 2020, 9:01pm

my config here:
backend bk_adfs
mode http
option forwardfor header X-Client
option http-keep-alive
log /dev/log local0 debug
timeout connect 30000
timeout server 30000
balance roundrobin
http-check send meth GET uri /adfs/ls/IdpInitiatedSignon.aspx ver HTTP/1.0
http-check expect string Sign\ in
stick-table type ip size 200k expire 30m
stick on src
server adfs01 172.20.1.202:443 ssl verify none check-sni myserver.mydomain sni ssl_fc_sni

lukastribus · August 11, 2020, 9:16pm

Alright:

option httpchk
http-check send meth GET uri /adfs/ls/IdpInitiatedSignon.aspx ver HTTP/1.0
http-check expect string Sign\ in

jean-marc.vuithier · August 12, 2020, 6:41am

Hello Lukas,

It’s work fine ! Thanks a lot for you help in this topic

Topic		Replies	Views
HAProxy 1.8.14 and ADFS 4.0 Help!	15	6454	October 7, 2019
Load Balance ADFS 3.o Help!	5	7418	December 28, 2017
Check health on backend TLS sites that requires SNI Help!	1	520	June 5, 2020
URL redirect HAproxy Help!	3	657	October 14, 2021
Pass src ip with HAProxy and MS ADFS Help!	9	2653	January 9, 2020

ADFS http-check

Related topics