Hi ,
I need to set a tailing software behind haproxy ( ref : https://github.com/mthenw/frontail )
To work, as written in their documentation ( for nginx) , we need to use a path ( xxx/logs as example ).
I made it working in http mode using the following :
in frontend section :
acl is_logs path_beg /logs
use_backend logs_backend if is_logs
WHERE /logs matches the value you defined in the frontail config “–url-path”
backend logs_backend
balance roundrobin
option httpclose
option forwardfor
server Server3 127.0.0.1:9001 cookie Server3
Now , I would like to have the same working in addition of https.
Here is my current config with https
global
log 127.0.0.1 local0 debug
daemon
user haproxy
group haproxy
maxconn 100000
maxsslconn 100000
nbproc 4
tune.ssl.cachesize 100000
tune.ssl.lifetime 86400
tune.ssl.maxrecord 1400
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AES256:ECDHE+RSA+AES256+GCM+SHA384:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AES256:ECDHE+RSA+AES256+GCM+SHA384:!aNULL:!MD5:!DSS
ssl-default-server-options no-sslv3
defaults
log global
mode http
option dontlognull
option forwardfor except 127.0.0.1
timeout connect 60000
timeout client 60000
timeout server 60000
listen stats
bind 0.0.0.0:1936
stats enable
stats uri /
stats realm Haproxy\ Statistics
stats auth bops:123456789
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}[ssl_c_s_dn]\ %{+Q}r\ %sslc\ %sslv
option tcplog
bind *:443
mode tcp
option socket-stats
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend backend-fido-https if { req_ssl_sni -i ttp.domain.com }
use_backend backend-ssp-https if { req_ssl_sni -i ssp.domain.com }
use_backend backend-logs if { req_ssl_sni -i logs.domain.com }
default_backend backend-bops-https
With the specific backend for logs like that :
backend backend-logs
balance roundrobin
option httpclose
option forwardfor
server Server99 127.0.0.1:9001 cookie Server99
HA proxy is not loading anything and I have a < NOSERV > in the logs.
any insights on how can I merge my 2 requirements ? ( ie adding a path to the https settings ? )
idea is to have https://logs.domain.com/logs pointing to the internal frontail tool which run on http port 9001 as http://127.0.0.1/logs on the internal host
Thanks in advance
First of all you have to provide a COMPLETE configuration, otherwise I have to piece the rest together.
Also, if you want to handle HTTPS just as you handle HTTP today, you need to terminate SSL by installing the certificate on haproxy. Otherwise it’s encrypted, and you can’t make decisions based on encrypted data.
Hi @lukastribus , thanks for your response.
I tried to simplify but obviously was not a good idea.
Please find below entire config ( which is working in https )
global
log 127.0.0.1 local0 debug
daemon
user haproxy
group haproxy
maxconn 100000
maxsslconn 100000
nbproc 4
tune.ssl.cachesize 100000
tune.ssl.lifetime 86400
tune.ssl.maxrecord 1400
ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AES256:ECDHE+RSA+AES256+GCM+SHA384:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AES256:ECDHE+RSA+AES256+GCM+SHA384:!aNULL:!MD5:!DSS
ssl-default-server-options no-sslv3
defaults
log global
mode http
option dontlognull
option forwardfor except 127.0.0.1
timeout connect 60000
timeout client 60000
timeout server 60000
listen stats
bind 0.0.0.0:1936
stats enable
stats uri /
stats realm Haproxy\ Statistics
stats auth bops:test1234
frontend frontend-https
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}[ssl_c_s_dn]\ %{+Q}r\ %sslc\ %sslv
option tcplog
bind *:443
mode tcp
option socket-stats
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
#acl is_logs path_beg /logs
#use_backend backend-logs if is_logs
use_backend backend-bops-https if { req_ssl_sni -i poc.dragoon.one }
use_backend backend-dmz-https if { req_ssl_sni -i dmz.domain.com }
use_backend backend-shib-https if { req_ssl_sni -i s.domain.com }
use_backend backend-websec-admin-https if { req_ssl_sni -i a.domain.com }
use_backend backend-fido-https if { req_ssl_sni -i f.domain.com }
use_backend backend-ssp-https if { req_ssl_sni -i s2.domain.com }
use_backend backend-logs if { req_ssl_sni -i logs.domain.com }
default_backend backend-bops-https
backend backend-bops-https
mode tcp
server bops-https 127.0.0.1:4141 send-proxy
frontend frontend-bops-http
mode http
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}[ssl_c_s_dn]\ %{+Q}r\ %sslc\ %sslv
bind 127.0.0.1:4141 accept-proxy ssl crt /etc/haproxy/server.pem ca-file /etc/haproxy/client-ca.pem verify optional
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
http-request del-header Origin
http-request set-header X-Forwarded-Proto https
http-request set-header x-ssl-termination-proxy-secret tkWIHWhcSATDTHl
http-request set-header X-SSL %[ssl_fc]
rspirep ^(set-cookie:.*) \1;\ Secure
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-Not-After %{+Q}[ssl_c_notafter]
default_backend backend-bops
rspadd X-Frame-Options:\ DENY
backend backend-bops
balance roundrobin
mode http
rspirep ^(set-cookie:.*) \1;\ Secure
server server-127.0.0.1 127.0.0.1:8083 check
backend backend-logs
balance roundrobin
option httpclose
option forwardfor
server Server99 127.0.0.1:12000 cookie Server99
backend backend-dmz-https
mode tcp
server server-dmz-https 127.0.0.1:8544 send-proxy
frontend frontend-dmz-https
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}[ssl_c_s_dn]\ %{+Q}r\ %sslc\ %sslv
bind 127.0.0.1:8544 accept-proxy ssl crt /etc/haproxy/server.pem
option httplog
option dontlognull
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
http-request del-header Origin
http-request set-header X-Forwarded-Proto https
http-request set-header X-SSL %[ssl_fc]
default_backend backend-dmz-http
rspadd X-Frame-Options:\ DENY
backend backend-dmz-http
balance roundrobin
http-response set-header X-Content-Type-Options nosniff
server server-127.0.0.1 127.0.0.1:8543 check
backend backend-shib-https
mode tcp
server server-shib-https 127.0.0.1:8944 send-proxy
frontend frontend-shibboleth-https
mode http
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}[ssl_c_s_dn]\ %{+Q}r\ %sslc\ %sslv
bind 127.0.0.1:8944 accept-proxy ssl crt /etc/haproxy/server.pem
option httplog
option dontlognull
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
http-request del-header Origin
http-request set-header X-Forwarded-Proto https
http-request set-header X-SSL %[ssl_fc]
rspirep ^(set-cookie:.*) \1;\ Secure
default_backend backend-shibboleth-http
rspadd X-Frame-Options:\ DENY
backend backend-shibboleth-http
mode http
balance roundrobin
rspirep ^(set-cookie:.*) \1;\ Secure
http-response set-header X-Content-Type-Options nosniff
server server-127.0.0.1 127.0.0.1:8943 check
backend backend-websec-admin-https
mode tcp
server websec-admin-https 127.0.0.1:9091 send-proxy
frontend frontend-websec-admin-http
mode http
timeout connect 500000
timeout client 500000
timeout server 1500000
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}[ssl_c_s_dn]\ %{+Q}r\ %sslc\ %sslv
bind 127.0.0.1:9091 accept-proxy ssl crt /etc/haproxy/server.pem ca-file /etc/haproxy/client-ca.pem verify optional
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
http-request del-header Origin
http-request set-header X-Forwarded-Proto https
http-request set-header x-ssl-termination-proxy-secret tkWIHWhcSATDTHl
http-request set-header X-SSL %[ssl_fc]
rspirep ^(set-cookie:.*) \1;\ Secure
http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1]
http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
http-request set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
http-request set-header X-SSL-Client-Not-After %{+Q}[ssl_c_notafter]
default_backend backend-websec-admin-http
rspadd X-Frame-Options:\ DENY
backend backend-websec-admin-http
balance roundrobin
server server-127.0.0.1 127.0.0.1:9090 check
backend backend-fido-https
mode tcp
server server-fido-https 127.0.0.1:11443 send-proxy
frontend frontend-fido-https
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ body:%[capture.req.hdr(0)]\ %{+Q}[ssl_c_s_dn]\ %{+Q}r\ %sslc\ %sslv
bind 127.0.0.1:11443 accept-proxy ssl crt /etc/haproxy/server.pem
option http-buffer-request
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
#http-request del-header Origin
http-request set-header X-Forwarded-Proto https
http-request set-header X-SSL %[ssl_fc]
#rspirep ^(set-cookie:.*) \1;\ Secure
default_backend backend-fido-http
rspadd X-Frame-Options:\ DENY
backend backend-fido-http
balance roundrobin
http-response set-header X-Content-Type-Options nosniff
server server-127.0.0.1 127.0.0.1:11442 check
backend backend-ssp-https
mode tcp
server server-ssp-https 127.0.0.1:9987 send-proxy
frontend frontend-ssp-https
mode http
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}[ssl_c_s_dn]\ %{+Q}r\ %sslc\ %sslv
bind 127.0.0.1:9987 accept-proxy ssl crt /etc/haproxy/server.pem
option httplog
option dontlognull
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
http-request del-header Origin
http-request set-header X-Forwarded-Proto https
http-request set-header X-SSL %[ssl_fc]
rspirep ^(set-cookie:.*) \1;\ Secure
default_backend backend-ssp-http
rspadd X-Frame-Options:\ DENY
backend backend-ssp-http
mode http
balance roundrobin
rspirep ^(set-cookie:.*) \1;\ Secure
http-response set-header X-Content-Type-Options nosniff
server server-127.0.0.1 127.0.0.1:9986 check
so idea is to be able to have multiple instances of the frontail mapped to directories like :
https://logs.domain.com/mylogfile1
https://logs.domain.com/mylogfile2
https://logs.domain.com/mylogfile3
etc
Any ACL’s matches related to HTTP headers or paths need to be in frontend frontend-bops-http (decrypts SSL, is in http mode), not in frontend frontend-https (just passes RAW TCP payload which contains encrypted SSL traffic).
1 Like
Hello,
Thank you, that was the trick !
Solved Thanks