Can not manage to merge 2 things : path + https

Hi ,
I need to set a tailing software behind haproxy ( ref : https://github.com/mthenw/frontail )
To work, as written in their documentation ( for nginx) , we need to use a path ( xxx/logs as example ).
I made it working in http mode using the following :
in frontend section :

acl is_logs path_beg /logs
use_backend logs_backend if is_logs

WHERE /logs matches the value you defined in the frontail config “–url-path”

  • Create a new backend :
backend logs_backend
           balance roundrobin
           option httpclose
           option forwardfor
           server Server3 127.0.0.1:9001 cookie Server3

Now , I would like to have the same working in addition of https.
Here is my current config with https


global
        log 127.0.0.1 local0 debug
        daemon
        user haproxy
        group haproxy
        maxconn 100000
        maxsslconn 100000
        nbproc 4
        tune.ssl.cachesize 100000
        tune.ssl.lifetime 86400
        tune.ssl.maxrecord 1400


        ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AES256:ECDHE+RSA+AES256+GCM+SHA384:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3 no-tls-tickets

        ssl-default-server-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AES256:ECDHE+RSA+AES256+GCM+SHA384:!aNULL:!MD5:!DSS
        ssl-default-server-options no-sslv3

defaults
        log     global
        mode    http
        option  dontlognull
        option forwardfor except 127.0.0.1
        timeout connect 60000
        timeout client 60000
        timeout server 60000

listen stats
        bind 0.0.0.0:1936
        stats enable
        stats uri /
        stats realm Haproxy\ Statistics
        stats auth bops:123456789


        log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}[ssl_c_s_dn]\ %{+Q}r\ %sslc\ %sslv
        option tcplog
        bind *:443
        mode tcp
        option socket-stats
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }

                        use_backend backend-fido-https if { req_ssl_sni -i ttp.domain.com }
                        use_backend backend-ssp-https if { req_ssl_sni -i ssp.domain.com }
                       use_backend backend-logs if { req_ssl_sni -i logs.domain.com }
                        default_backend backend-bops-https

With the specific backend for logs like that :

backend backend-logs
       balance roundrobin
       option httpclose
       option forwardfor
       server Server99 127.0.0.1:9001 cookie Server99

HA proxy is not loading anything and I have a < NOSERV > in the logs.
any insights on how can I merge my 2 requirements ? ( ie adding a path to the https settings ? )

idea is to have https://logs.domain.com/logs pointing to the internal frontail tool which run on http port 9001 as http://127.0.0.1/logs on the internal host
Thanks in advance

First of all you have to provide a COMPLETE configuration, otherwise I have to piece the rest together.

Also, if you want to handle HTTPS just as you handle HTTP today, you need to terminate SSL by installing the certificate on haproxy. Otherwise it’s encrypted, and you can’t make decisions based on encrypted data.

Hi @lukastribus , thanks for your response.
I tried to simplify but obviously was not a good idea.
Please find below entire config ( which is working in https )

global
        log 127.0.0.1 local0 debug
        daemon
        user haproxy
        group haproxy
        maxconn 100000
        maxsslconn 100000
        nbproc 4
        tune.ssl.cachesize 100000
        tune.ssl.lifetime 86400
        tune.ssl.maxrecord 1400  


        ssl-default-bind-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AES256:ECDHE+RSA+AES256+GCM+SHA384:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3 no-tls-tickets

        ssl-default-server-ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:ECDH+3DES:RSA+AES256:ECDHE+RSA+AES256+GCM+SHA384:!aNULL:!MD5:!DSS
        ssl-default-server-options no-sslv3

defaults
        log     global
        mode    http
        option  dontlognull
        option forwardfor except 127.0.0.1
        timeout connect 60000
        timeout client 60000
        timeout server 60000

listen stats
        bind 0.0.0.0:1936
        stats enable
        stats uri /
        stats realm Haproxy\ Statistics
        stats auth bops:test1234

frontend frontend-https
        log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}[ssl_c_s_dn]\ %{+Q}r\ %sslc\ %sslv
        option tcplog
        bind *:443
        mode tcp
        option socket-stats
        tcp-request inspect-delay 5s
        tcp-request content accept if { req_ssl_hello_type 1 }
#acl is_logs path_beg /logs
#use_backend backend-logs if is_logs

        use_backend backend-bops-https if { req_ssl_sni -i poc.dragoon.one }
                        use_backend backend-dmz-https if { req_ssl_sni -i dmz.domain.com }
                        use_backend backend-shib-https if { req_ssl_sni -i s.domain.com }
                        use_backend backend-websec-admin-https if { req_ssl_sni -i a.domain.com }
                        use_backend backend-fido-https if { req_ssl_sni -i f.domain.com }
                        use_backend backend-ssp-https if { req_ssl_sni -i s2.domain.com }
                        use_backend backend-logs if { req_ssl_sni -i logs.domain.com }
                        default_backend backend-bops-https

backend backend-bops-https
        mode tcp
        server bops-https 127.0.0.1:4141 send-proxy

frontend frontend-bops-http
        mode http
        log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}[ssl_c_s_dn]\ %{+Q}r\ %sslc\ %sslv
        bind 127.0.0.1:4141 accept-proxy ssl crt /etc/haproxy/server.pem ca-file /etc/haproxy/client-ca.pem verify optional
        rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
        http-request del-header Origin
        http-request set-header X-Forwarded-Proto https
        http-request set-header x-ssl-termination-proxy-secret tkWIHWhcSATDTHl
        http-request set-header X-SSL %[ssl_fc]
        rspirep ^(set-cookie:.*)  \1;\ Secure
        http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
        http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1]
        http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
        http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
        http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
        http-request set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
        http-request set-header X-SSL-Client-Not-After %{+Q}[ssl_c_notafter]
        default_backend backend-bops
        rspadd X-Frame-Options:\ DENY

backend backend-bops
        balance roundrobin
        mode http
        rspirep ^(set-cookie:.*)  \1;\ Secure
                server server-127.0.0.1 127.0.0.1:8083 check
        
backend backend-logs
balance roundrobin
       option httpclose
       option forwardfor
       server Server99 127.0.0.1:12000 cookie Server99
 

backend backend-dmz-https
        mode tcp
        server server-dmz-https 127.0.0.1:8544 send-proxy

frontend frontend-dmz-https
        log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}[ssl_c_s_dn]\ %{+Q}r\ %sslc\ %sslv
        bind 127.0.0.1:8544 accept-proxy ssl crt /etc/haproxy/server.pem
        option httplog
        option dontlognull
        rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
        http-request del-header Origin
        http-request set-header X-Forwarded-Proto https
        http-request set-header X-SSL %[ssl_fc]
        default_backend backend-dmz-http
        rspadd X-Frame-Options:\ DENY

backend backend-dmz-http
        balance roundrobin
        http-response set-header X-Content-Type-Options nosniff
                server server-127.0.0.1 127.0.0.1:8543 check
        
backend backend-shib-https
        mode tcp
        server server-shib-https 127.0.0.1:8944 send-proxy

frontend frontend-shibboleth-https
        mode http
        log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}[ssl_c_s_dn]\ %{+Q}r\ %sslc\ %sslv
        bind 127.0.0.1:8944 accept-proxy ssl crt /etc/haproxy/server.pem
        option httplog
        option dontlognull
        rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
        http-request del-header Origin
        http-request set-header X-Forwarded-Proto https
        http-request set-header X-SSL %[ssl_fc]
        rspirep ^(set-cookie:.*)  \1;\ Secure
        default_backend backend-shibboleth-http
        rspadd X-Frame-Options:\ DENY

backend backend-shibboleth-http
        mode http
        balance roundrobin
        rspirep ^(set-cookie:.*)  \1;\ Secure
        http-response set-header X-Content-Type-Options nosniff
                server server-127.0.0.1 127.0.0.1:8943 check
        
backend backend-websec-admin-https
        mode tcp
        server websec-admin-https 127.0.0.1:9091  send-proxy

frontend frontend-websec-admin-http
        mode http
        timeout connect 500000
        timeout client 500000
        timeout server 1500000        
        log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}[ssl_c_s_dn]\ %{+Q}r\ %sslc\ %sslv
        bind 127.0.0.1:9091 accept-proxy ssl crt /etc/haproxy/server.pem ca-file /etc/haproxy/client-ca.pem verify optional
        rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
        http-request del-header Origin
        http-request set-header X-Forwarded-Proto https
        http-request set-header x-ssl-termination-proxy-secret tkWIHWhcSATDTHl
        http-request set-header X-SSL %[ssl_fc]
        rspirep ^(set-cookie:.*)  \1;\ Secure
        http-request set-header X-SSL-Client-Verify %[ssl_c_verify]
        http-request set-header X-SSL-Client-SHA1 %{+Q}[ssl_c_sha1]
        http-request set-header X-SSL-Client-DN %{+Q}[ssl_c_s_dn]
        http-request set-header X-SSL-Client-CN %{+Q}[ssl_c_s_dn(cn)]
        http-request set-header X-SSL-Issuer %{+Q}[ssl_c_i_dn]
        http-request set-header X-SSL-Client-Not-Before %{+Q}[ssl_c_notbefore]
        http-request set-header X-SSL-Client-Not-After %{+Q}[ssl_c_notafter]
                default_backend backend-websec-admin-http
        rspadd X-Frame-Options:\ DENY

backend backend-websec-admin-http
        balance roundrobin
                server server-127.0.0.1 127.0.0.1:9090 check
        
backend backend-fido-https
    mode tcp
    server server-fido-https 127.0.0.1:11443 send-proxy

frontend frontend-fido-https
    log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ body:%[capture.req.hdr(0)]\ %{+Q}[ssl_c_s_dn]\ %{+Q}r\ %sslc\ %sslv
    bind 127.0.0.1:11443 accept-proxy ssl crt /etc/haproxy/server.pem
    option http-buffer-request
    rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
    #http-request del-header Origin
    http-request set-header X-Forwarded-Proto https
    http-request set-header X-SSL %[ssl_fc]
    #rspirep ^(set-cookie:.*)  \1;\ Secure
    default_backend backend-fido-http
    rspadd X-Frame-Options:\ DENY

backend backend-fido-http
    balance roundrobin
    http-response set-header X-Content-Type-Options nosniff
        server server-127.0.0.1 127.0.0.1:11442 check
    
backend backend-ssp-https
        mode tcp
        server server-ssp-https 127.0.0.1:9987 send-proxy

frontend frontend-ssp-https
        mode http
        log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ %{+Q}[ssl_c_s_dn]\ %{+Q}r\ %sslc\ %sslv
        bind 127.0.0.1:9987 accept-proxy ssl crt /etc/haproxy/server.pem
        option httplog
        option dontlognull
        rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains
        http-request del-header Origin
        http-request set-header X-Forwarded-Proto https
        http-request set-header X-SSL %[ssl_fc]
        rspirep ^(set-cookie:.*)  \1;\ Secure
                default_backend backend-ssp-http
        rspadd X-Frame-Options:\ DENY

backend backend-ssp-http
        mode http
        balance roundrobin
        rspirep ^(set-cookie:.*)  \1;\ Secure
        http-response set-header X-Content-Type-Options nosniff
                server server-127.0.0.1 127.0.0.1:9986 check
        

so idea is to be able to have multiple instances of the frontail mapped to directories like :

https://logs.domain.com/mylogfile1
https://logs.domain.com/mylogfile2
https://logs.domain.com/mylogfile3
etc

Any ACL’s matches related to HTTP headers or paths need to be in frontend frontend-bops-http (decrypts SSL, is in http mode), not in frontend frontend-https (just passes RAW TCP payload which contains encrypted SSL traffic).

1 Like

Hello,
Thank you, that was the trick !
Solved Thanks