I am trying to setup a farm of servers to serve the same website across all the servers, including the subdomains. I posted my example configuration below.
When tested it seemed to allow for the main website to be loaded, but anytime the subdomains were accessed it would just redirect to the main domain’s content. Is there a way using the configuration I have below, or some other configuration, and I can accomplish the goal of having say 4 servers, all serving the same root domain and subdomains, while still utilizing an SSL certificate for all traffic? Each website also contains a 301 redirect to HTTPS to enforce the use of SSL.
global
log 127.0.0.1 local0
log 127.0.0.1 local1 notice
maxconn 4096
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
option http-server-close
stats enable
stats auth admin:Password!
stats uri /haproxyStats
frontend http-in
bind *:80
# Define hosts
acl host_website_hdr(host) -i domain.com
acl host_website_hdr(host) -i c.domain.com
acl host_website_hdr(host) -i s.domain.com
acl host_website_hdr(host) -i i.domain.com
acl host_website_hdr(host) -i e.domain.com
## figure out which one to use
use_backend website if host_website
use_backend website if host_website
use_backend website if host_website
use_backend website if host_website
use_backend website if host_website
backend website
balance leastconn
option httpclose
option forwardfor
cookie JSESSIONID prefix
server node1 10.5.0.10 cookie A check
server node2 10.5.0.11 cookie A check
server node3 10.5.0.12 cookie A check
server node4 10.5.0.13 cookie A check
server node5 10.5.0.14 cookie A check
Haproxy does not redirect anything in this configuration. Likely your backend server are redirecting. Why that is, is a question that needs to be looked at from the application perspective. Nothing fancy that haproxy does here.
The configuration you posted doesn’t make a lot of sense though, are you sure that’s what you are really using? You don’t need multiple use_backend that are exactly the same. Once suffices. Also since you don’t have multiple backends, default_backend probably suffices.
All the SSL questions can be answered when you explain how you would like to set that up. Are the backend servers terminating SSL, or haproxy? Where are the certificates installed?
I would prefer that SSL be terminated by HAProxy. (For testing I’m using Lets Encrypt)
The configuration I have posted is just an example. It’s not something I’m using in a production (or testing) environment.
Essentially, I have 3 servers configured in a network, each has two interfaces:
server1 10.5.0.10, 10.5.0.11
server2 10.5.0.12, 10.5.0.13
server3 10.5.0.14, 10.5.0.15
All of these servers and HAProxy will only serving domain.com. Subdomains are also housed on the same servers (10.5.0.10 - 15), but with my previous configuration (this is my second attempt) only displayed the main website (domain.com) for every subdomain. For example, images.domain.com is replicated by the servers and should also be handled by HAProxy. But images.domain.com, displayed the document root for domain.com, and not images.domain.com.
I am new to HAProxy, if there is a configuration that would fit what I am trying to accomplish better than what I posted, please let me know. Configuration examples would be a great resource if you have any. If that makes more sense. Which I hope it does.
Remove option http-server-close
from the defaults and option httpclose
from the backend. They just disable keep-alive which makes no sense, unless you had a reason to put them there.
SSL configuration in haproxy is fairly straightforward, checkout examples/ssl.cfg
and the Mozilla SSL Configuration Generator for suggestions about how to do it securely.
Just avoid redirecting to SSL from the backend applications (do it in haproxy instead using redirect scheme), otherwise you backend start redirecting to HTTPS endlessly because they don’t know that haproxy actually terminates SSL (you’d have to set a HTTP header like X-Forwarded-Proto on haproxy, and make the application understand it).
If you want cookie persistence (do you?), you need to set each server to a different cookie value, otherwise it makes no sense. In your specific case you could set the same cookie for the other NIC of the same server, that should be fine.
server server1-nic1 10.5.0.10 cookie A check
server server1-nic2 10.5.0.11 cookie A check
server server2-nic1 10.5.0.12 cookie B check
server server2-nic2 10.5.0.13 cookie B check
server server3-nic1 10.5.0.14 cookie C check
server server3-nic2 10.5.0.15 cookie C check
That’s your backend server’s domain, haproxy does not know anything about this. You need to look there for fixes. Also, actually test your backend servers directly.
I’m unsure what you mean? There is no way using the domain the browser requests that I can pass the host header of images.domain.com on to the server from HAProxy?
The virtual hosts for each subdomain already exist in apache, and point to the correct document root, and the bind server that handles DNS is pointing to the public IP address of the HAProxy server. So the servers are already setup to serve the pages based on the domain names that are requested. HAProxy is only sending the root domain though (or at least I suspect) which is why it’s only displaying the root website, and not the sub-domains.
Correct me if I’m wrong. Which I may be, since I am new to HAProxy.
It’s very simple: your browser sets the Host header to images.domain.com
. Haproxy passes the requests as-is to the backend server, which, if configured correctly, based on the Host header which is set to images.domain.com
, serves the correct root.
No, haproxy won’t touch the Host header send by the browser. Unless you configure haproxy to overwrite the Host header, but that’s not what you configured.
Again test your backend servers directly, without going through haproxy.
In haproxy configuration, acl sub domain is above in main domain. while trying to login the subdomain URL to went to main domain. Please give us solution.
haproxy version: 1.6.14
acl xxx hdr_end(host) -i xxx.domain.in
acl xxxmain hdr_end(host) -i xxxmain.domain.in
use_backend xxxmain if xxxmain
use_backend xxx if xxx
backend xxx
redirect scheme https if !{ ssl_fc }
rspadd X-Frame-Options:\ SAMEORIGIN
option forwardfor
balance roundrobin
cookie SERVERID insert indirect nocache
server xxx 1.1.1.1:xxxx check ssl verify none
backend xxxmain
redirect scheme https if !{ ssl_fc }
rspadd X-Frame-Options:\ SAMEORIGIN
option forwardfor
balance roundrobin
cookie SERVERID insert indirect nocache
server xxxmain 1.1.1.1:xxxx check ssl verify none
Please open your own thread and don’t hijack others.