HAProxy community

Help for an HAProxy Newbie

Hi,

Can someone help me with my configuration ?

When i go to https://server.domain.com/test (frontend), i need to access a private server at http://privateserver:87/URL/SubURL/ (backend)

Does a http-request set-path /URL/SubURL/ in the backend section is enough ?

Thank you.

May be following config might help you:

listen http_frontend
bind *:443 ssl crt /path_to_your_pem/your.pem
mode http

acl acl_privateserver path_end -i /test
use_backend privateserver if acl_privateserver

backend privateserver
mode http
    http-request set-uri /URL/SubURL/
server privateserver privateserver:87 check resolvers dns

Thank you.

I have tried this but it does not work :

503 Service Unavailable
No server is available to handle this request.

In the log i can see :

ft_pop_simu~ bk_pop_simu/dv06 0/0/1/5/6 302 395 - - ---- 2/1/0/0/0 0/0 “GET /test/ HTTP/1.1”
ft_pop_simu~ ft_pop_simu/ -1/-1/-1/-1/0 503 221 - - SC-- 2/1/0/0/0 0/0 “GET /Account/Login?ReturnUrl=%2fEspacePro%2fEntraineur%2fRetourPopIPN HTTP/1.1”

< NOSRV > is missing in the previous message

Please share your config

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE$
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend ft_box_simu
bind *:443 ssl crt /etc/ssl/certs/wildcard.domain.com.pem
acl box_url path_end -i /testboxbd
acl box_url2 path_beg -i /account/
use_backend bk_box_simu if box_url
use_backend bk_box_simu2 if box_url2

backend bk_box_simu
http-request set-path /EspacePro/Entraineur/RetourPayboxIPN
server dv06 dv06.local:9080 check

backend bk_box_simu2
server dv06 dv06.local:9080 check

I don’t know how to deal with the returned backend url. I have created a second acl and i can go further but some backend url are still not managed : /Scripts/… and the page is not fully loaded

Should i add an acl for each different URL the backend return ?

Is it possible to hide the backend URL in the client browser and keep displayed /testboxbd ?

Thank you

@lukastribus - I will let you take a look into this issue

Actually, i want my backend application to be accessed through the HAProxy with the /testboxhd. Always.

The problem is in the responses which delete the /testboxhd then my acl doesn’t work. If i set a default_backend it works but i need to force the /testpayboxhd

So i have started to play with the http-response and reqirep to mody queries and responses but i’m not sure of what i did :

frontend ft_box_simu
bind *:443 ssl crt /etc/ssl/certs/wildcard.domain.com.pem
acl box_url path_end -i /testboxhd
acl box_url2 path_beg -i /testboxhd/
use_backend bk_box_simu if box_url
use_backend bk_box_simu2 if box_url2

backend bk_box_simu
http-request set-path /EspacePro/Entraineur/RetourBoxIPN
server dv06 dv06.local:56 check
http-response replace-header Location (.*) testboxhd\1

backend bk_box_simu2
reqirep ^([^\ ])\ /testboxhd/(.) \1\ /\2
server dv06 dv06.local:56 check
http-response replace-header Location (.*) testboxhd\1

It almost works but i still have some content which tries to reach the backend server without the /testboxhd and i can’t find out why.

Is there an expert or someone who knows very well haproxy to validate my conf or tell me if there is an easier way to achieve that ?

Thank you

Problem is with the page content and its path not updated with the /testboxhd subdirectory.