HAProxy community

Help using url parameter to select server backend

i’m using HA-Proxy version 1.8.8-1ubuntu0.4 2019/01/24 … config file is working, i want to add the capability to select a server based on a url parameter e.g. https://foobar-nd.ddns.net/?netdata_server=openvpn -> 192.168.1.235:19999

the key sections are below with the full config file at the end as well as the traceback … i’m new to haproxy so i’m not sure what is wrong however the trace show the initial GET causing an issue … all other portions of the config file are working

acl is-netdata-server-set-properly urlp_reg(netdata_server) ^(openvpn|poolside|rosegarden|stage|ha|pihole|unifi|unms|firepit|greenhouse|fireplace|genmon)
	http-request set-var(req.netdata_server) urlp(netdata_server) if is-netdata-server-set-properly

	use_backend backend-%[var(req.netdata_server)] if is-netdata-server-set-properly { ssl_fc_sni -i foobar-nd.ddns.net } 

backend backend-openvpn
	mode http
	server default-netdata 192.168.1.235:19999 check no-ssl
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

----------------- output
00000009:https.accept(0005)=000a from [192.168.1.1:54494] ALPN=
0000000a:https-front.accept(0006)=000c from [192.168.1.1:54494] ALPN=
0000000a:https-front.clireq[000c:ffffffff]: GET /dashboard.js?v20181211-1 HTTP/1.1
0000000a:https-front.clihdr[000c:ffffffff]: Host: foobar-nd.ddns.net
0000000a:https-front.clihdr[000c:ffffffff]: Connection: keep-alive
0000000a:https-front.clihdr[000c:ffffffff]: User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.36
0000000a:https-front.clihdr[000c:ffffffff]: Accept: /
0000000a:https-front.clihdr[000c:ffffffff]: Referer: https://foobar-nd.ddns.net/?netdata_server=openvpn
0000000a:https-front.clihdr[000c:ffffffff]: Accept-Encoding: gzip, deflate, br
0000000a:https-front.clihdr[000c:ffffffff]: Accept-Language: en-US,en;q=0.9
0000000a:https-front.clihdr[000c:ffffffff]: Cookie: session=05213fd425d0545d2533307a0ae60fa6
0000000a:blueiris-backend.srvrep[000c:adfd]: HTTP/1.1 404 Not Found
0000000a:blueiris-backend.srvhdr[000c:adfd]: Server: BlueServer/4.8.6.3
0000000a:blueiris-backend.srvhdr[000c:adfd]: Date: Sat, 25 May 2019 14:51:20 GMT
0000000a:blueiris-backend.srvhdr[000c:adfd]: P3P: CP=“CAO COR CURa ADMa DEVa OUR IND ONL COM DEM PRE”
0000000a:blueiris-backend.srvhdr[000c:adfd]: Access-Control-Allow-Origin: *
0000000a:blueiris-backend.srvhdr[000c:adfd]: Set-Cookie: session=05213fd425d0545d2533307a0ae60fa6; path=/
0000000a:blueiris-backend.srvhdr[000c:adfd]: Connection: Close

---------------------- haproxy.cfg
global
maxconn 100
tune.ssl.default-dh-param 2048

defaults
	mode http
	log global
	timeout connect 20s
	timeout client 50s
	timeout server 50s
	timeout tunnel 1h

listen stats
	bind 192.168.1.235:9000
	mode http
	log global
	maxconn 10
	stats enable
	stats hide-version
	stats refresh 30s
	stats show-node
#	stats auth admin:password
	stats uri /haproxy?stats

frontend https
	bind *:443
	mode tcp


	tcp-request inspect-delay 5s
	tcp-request content accept if { req_ssl_hello_type 1 }
	use_backend openvpn-backend if { req_ssl_sni -i foobar.ddns.net }
	default_backend https-back

frontend https-front
	bind unix@/var/run/haproxy.sock ssl crt /etc/letsencrypt/live/foobar.ddns.net/haproxy.pem accept-proxy
	mode http

	acl is-netdata-server-set-properly urlp_reg(netdata_server) ^(openvpn|poolside|rosegarden|stage|ha|pihole|unifi|unms|firepit|greenhouse|fireplace|genmon)
	http-request set-var(req.netdata_server) urlp(netdata_server) if is-netdata-server-set-properly

	use_backend backend-%[var(req.netdata_server)] if is-netdata-server-set-properly { ssl_fc_sni -i foobar-nd.ddns.net }

	use_backend home-assistant-backend  if { ssl_fc_sni -i foobar-ha.ddns.net }
	use_backend nextcloud-backend if { ssl_fc_sni -i foobar-nc.ddns.net }
	use_backend blueiris-backend if { ssl_fc_sni -i foobar-bi.ddns.net }
	use_backend pihole-backend if { ssl_fc_sni -i foobar-dns.ddns.net }
	use_backend unifi-backend if { ssl_fc_sni -i foobar-unifi.ddns.net }
	use_backend unms-backend if { ssl_fc_sni -i foobar-unms.ddns.net }
	use_backend haproxy-backend if { ssl_fc_sni -i foobar-haproxy.ddns.net }
	default_backend blueiris-backend

frontend http
	bind :80
	acl letsencrypt-acl path_beg /.well-known/acme-challenge/
	use_backend letsencrypt-backend if letsencrypt-acl

backend letsencrypt-backend
	server letsencrypt 127.0.0.1:8888

backend https-back
	mode tcp
	server https-front unix@/var/run/haproxy.sock send-proxy-v2

backend backend-openvpn
	mode http
	server default-netdata 192.168.1.235:19999 check no-ssl
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }
	
backend openvpn-backend
	mode tcp
        timeout server 2h
	server openvpn 192.168.1.235:444

backend haproxy-backend
	mode http
	server haproxy 192.168.1.235:9000 no-ssl check
	http-request redirect location /haproxy?stats if { path / } 
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend pihole-backend
	mode http
	server pi-hole 192.168.5.2:80 check no-ssl
	rspadd X-Frame-Options:\ SAMEORIGIN
	http-request redirect location /admin/ if { path / }
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend unifi-backend
	mode http
	server unifi 192.168.1.16:8443 ssl verify none check
	http-request redirect location /manage/site/kab9w4dv/dashboard if { path / } 
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend unms-backend
	mode http
	server unms 192.168.1.207 ssl verify none
	http-request redirect location /dashboard if { path / } 
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend home-assistant-backend
	mode http
	server home-assistant 192.168.1.123:8123 check
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend nextcloud-backend
	mode http
	server nextcloud 192.168.1.123:80 check
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

backend blueiris-backend
	mode http
	server blueiris 192.168.1.36:1050 check
	http-request set-header X-Forwarded-Port %[dst_port]
	http-request add-header X-Forwarded-Proto https if { ssl_fc }

i spoke too soon … only works inside the firewall. outside this is the traceback(webrequest show ip address 192.168.1.198 and hangs)…not clear what’s wrong

00000006:https.accept(0005)=000a from [107.77.227.199:44432] ALPN=
00000007:https-front.accept(0006)=000c from [107.77.227.199:44432] ALPN=
00000007:https-front.clireq[000c:ffffffff]: GET /?netdata_server=genmon HTTP/1.1
00000007:https-front.clihdr[000c:ffffffff]: Host: marotta-nd.ddns.net
00000007:https-front.clihdr[000c:ffffffff]: Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
00000007:https-front.clihdr[000c:ffffffff]: Accept-Language: en-us
00000007:https-front.clihdr[000c:ffffffff]: Connection: keep-alive
00000007:https-front.clihdr[000c:ffffffff]: Accept-Encoding: br, gzip, deflate
00000007:https-front.clihdr[000c:ffffffff]: User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 12_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Mobile/15E148 Safari/604.1
00000008:https-front.clicls[000c:ffffffff]
00000008:https-front.closed[000c:ffffffff]
00000006:https-back.srvcls[adfd:adfd]
00000006:https-back.clicls[adfd:adfd]
00000006:https-back.closed[adfd:adfd]

the query string used to select the backend server is interfering with the request … i need to remove the query string before proceeding to the backend processing … not sure how that would be done

Have you solved your issue?

yes, indirectly … my issue turned out to be related to the application (netdata) which continues to re-issue (not clear what the right term is) a variation of it’s url repeatedly. … so, i made a sub-domain (no-ip.com allow for 25) for each server … and now it works fine