Bluemind and HAProxy as reverse proxy

Help!
1

Hi everybody,

I have a problem configuring haproxy as a reverse proxy for Bluemind.
When I enter the URL on a browser, it changes to the same address followed by a lot of \ and I get the message “The page isn’t redirecting properly”

In the logs of the proxy server, i get :

Nov 13 14:45:25 rproxy haproxy[5244]: 10.5.0.176:35822 [13/Nov/2018:14:45:25.581] https-in~ bk_bluemind/bluemind 0/0/0/1/1 301 381 - - ---- 1/1/0/1/0 0/0 "GET / HTTP/1.1"
Nov 13 14:45:25 rproxy haproxy[5244]: 10.5.0.176:35822 [13/Nov/2018:14:45:25.605] https-in~ bk_bluemind/bluemind 0/0/0/1/1 301 382 - - ---- 1/1/0/1/0 0/0 "GET // HTTP/1.1"
Nov 13 14:45:25 rproxy haproxy[5244]: 10.5.0.176:35822 [13/Nov/2018:14:45:25.611] https-in~ bk_bluemind/bluemind 0/0/0/1/1 301 383 - - ---- 1/1/0/1/0 0/0 "GET /// HTTP/1.1"
Nov 13 14:45:25 rproxy haproxy[5244]: 10.5.0.176:35822 [13/Nov/2018:14:45:25.616] https-in~ bk_bluemind/bluemind 0/0/0/0/1 301 384 - - ---- 1/1/0/1/0 0/0 "GET //// HTTP/1.1"
Nov 13 14:45:25 rproxy haproxy[5244]: 10.5.0.176:35822 [13/Nov/2018:14:45:25.620] https-in~ bk_bluemind/bluemind 0/0/0/1/1 301 385 - - ---- 1/1/0/1/0 0/0 "GET ///// HTTP/1.1"
Nov 13 14:45:25 rproxy haproxy[5244]: 10.5.0.176:35822 [13/Nov/2018:14:45:25.630] https-in~ bk_bluemind/bluemind 0/0/0/0/0 301 386 - - ---- 1/1/0/1/0 0/0 "GET ////// HTTP/1.1"
Nov 13 14:45:25 rproxy haproxy[5244]: 10.5.0.176:35822 [13/Nov/2018:14:45:25.646] https-in~ bk_bluemind/bluemind 0/0/0/0/0 301 387 - - ---- 1/1/0/1/0 0/0 "GET /////// HTTP/1.1"
Nov 13 14:45:25 rproxy haproxy[5244]: 10.5.0.176:35822 [13/Nov/2018:14:45:25.656] https-in~ bk_bluemind/bluemind 0/0/0/1/1 301 388 - - ---- 1/1/0/1/0 0/0 "GET //////// HTTP/1.1"

In the logs of the bluemind server, i get :

nginx/access.log:10.5.0.43 - - [13/Nov/2018:14:45:25 +0100] "GET ////////////////// HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0" rt="0.000" uct="-" urt="-"
nginx/access.log:10.5.0.43 - - [13/Nov/2018:14:45:25 +0100] "GET /////////////////// HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0"
nginx/access.log:10.5.0.43 - - [13/Nov/2018:14:45:25 +0100] "GET /////////////////// HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0" rt="0.000" uct="-" urt="-"
nginx/access.log:10.5.0.43 - - [13/Nov/2018:14:45:25 +0100] "GET //////////////////// HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0"
nginx/access.log:10.5.0.43 - - [13/Nov/2018:14:45:25 +0100] "GET //////////////////// HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0" rt="0.000" uct="-" urt="-"
nginx/access.log:10.5.0.43 - - [13/Nov/2018:14:45:25 +0100] "GET ///////////////////// HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:63.0) Gecko/20100101 Firefox/63.0"

Here is (part of) my configuration :

frontend https-in
	mode http
	bind *:80
	bind *:443 ssl crt-list /etc/haproxy/crt-list.txt
	acl acl_bluemind hdr(host) bluemind.mydomain.fr
	use_backend bk_bluemind if acl_bluemind
	default_backend bk_wanda
backend bk_bluemind
	mode http
	option httpchk
	http-request set-header X-Forwarded-Proto http if ! { ssl_fc }
	http-request set-header X-Forwarded-Proto https if { ssl_fc }
	server bluemind 10.5.0.48:80

Does anyone experienced such a problem or have a solution ?
Regards,

2

I assume the bluemind server is configured something like this:
https://forge.bluemind.net/confluence/display/BM35/Installation+d'un+serveur+Edge+%3A+Nginx+et+Postfix?src=contextnavpagetreemode

nginx only allows connections to port 443 and redirects everything that comes in on port 80. You will have to either configure nginx so that port behaves just like port 443, have nginx respect the X-Forwarded-Proto header, or, if you cannot modify the nginx configuration at all, connect to nginx on port 443 (but then you have to redirect to https in haproxy).

I am unsure why you need both haproxy and nginx in this case though. Seems to me one edge proxy should be enough, why are you cascading them?

3

Thank you for your post.
Unfortunately, we don’t have an edge server now, but it seems a good idea to setup one :wink:
Instead we have a reverse proxy (actually apache2) in DMZ proxying to the bluemind server on the LAN.
The goal is to change the apache2 reverse proxy to haproxy.
I’m not sure about how to redirect to https in haproxy. I tried this :

backend bk_bluemind
	mode http
	option httpchk
	redirect scheme https if !{ ssl_fc }
	http-request set-header X-Forwarded-Proto http if ! { ssl_fc }
	http-request set-header X-Forwarded-Proto https if { ssl_fc }
	redirect scheme https code 301 if !{ ssl_fc }
	server bluemind 10.5.0.48:443

But the //// are still present and I get a “400 Bad Request - The plain HTTP request was sent to HTTPS port” on my browser.
Can you help me solving the redirection ?
Thanks,

4

OK, I finally found the correct configuration (it seems)

frontend https-in
	mode http
	bind *:80
	bind *:443 ssl crt-list /etc/haproxy/crt-list.txt
	acl acl_bluemind hdr(host) bluemind.mydomain.fr
	redirect scheme https if acl_bluemind !{ ssl_fc }
	use_backend bk_bluemind if acl_bluemind

backend bk_bluemind
	mode http
	option httpchk
	http-request set-header X-Forwarded-Proto http if ! { ssl_fc }
	http-request set-header X-Forwarded-Proto https if { ssl_fc }
	server bluemind 10.5.0.48:443 ssl verify none
1 Like