Hi

We started seeing the default /haproxy?stats page coming although we didn’t explicitly configure it. We configured a separate frontend and backend for stats with different URI and protected them with passwords. It works fine when we hit /custom-stats page and prompt with the password.

Why default /haproxy?stats page still coming although we didn’t configure it? It shows the same info as with the other protected stats pages we configured.

Srinivas Kotaru

You will have to provide the full configuration.

Note: HAProxy running as a POD in k8s environment.

global

    log stdout format raw local0 info
    maxconn 40000
    stats socket /var/run/haproxy-ssl.stat
    tune.h2.initial-window-size 2000000
    ca-base /opt/haproxy/ssl/ca/
    tune.ssl.default-dh-param 2048
    ssl-default-bind-options no-sslv3

defaults
log global
mode http
option forwardfor except 127.0.0.0/8
option dontlognull
option httplog
balance roundrobin
retries 3
maxconn 40000
timeout http-keep-alive 60s
timeout client 10m
timeout server 10m
timeout queue 1m
timeout connect 10s
timeout check 10s
timeout http-request 10s
default-server init-addr last,libc,none

   errorfile 503 /opt/haproxy/errors/503.html
   errorfile 400 /opt/haproxy/errors/400.html
   errorfile 403 /opt/haproxy/errors/403.html
   errorfile 500 /opt/haproxy/errors/500.html
   errorfile 502 /opt/haproxy/errors/502.html
   errorfile 504 /opt/haproxy/errors/504.html
   errorfile 408 /dev/null

frontend keepalived-monitor
mode http
bind *:8080
monitor-uri /____rp-health.html
monitor fail if { nbsrv(apache_ping) lt 1 }

frontend “$HAPROXY_NODE”
mode http
bind *:80 accept-proxy
bind *:443 accept-proxy ssl no-tlsv10 no-tlsv11 crt /usr/local/etc/haproxy/ssl/certs ca-file /usr/local/etc/haproxy/ssl/usercerts/client-ts verify optional alpn h2,http/1.1 crt-ignore-err all
bind *:8443 ssl no-tlsv10 no-tlsv11 crt /usr/local/etc/haproxy/ssl/certs ca-file /usr/local/etc/haproxy/ssl/usercerts/client-ts verify optional alpn h2,http/1.1 crt-ignore-err all
monitor-uri /____rp-proxy.html

log-format “%ci:%cp [%tr] %ft %b/%s %TR/%Tw/%Tc/%Tr/%Ta %ST %B %CC %CS %tsc %ac/%fc/%bc/%sc/%rc %sq/%bq %hr %hs %{+Q}r %sslc %sslv”
unique-id-format %{+X}o\ %ci:%cp_%fi:%fp_%Ts_%rt:%pid
unique-id-header X-Unique-ID

Modify request and response headers

http-request set-header X-Client-Certificate %[ssl_c_der,base64]
http-request add-header X-Forwarded-Proto https
http-request add-header X-Forwarded-Port 443
http-response add-header X-RP-SSL-Name “$HAPROXY_NODE”
http-response del-header ^Server:.*
http-response del-header ^X-Powered-By:.*
http-response del-header ^X-Runtime:.*
http-response del-header ^X-SSO:.*

capture request header Host len 128
capture request header Referer len 256
capture request header User-Agent len 256
capture request header X-Unique-ID len 64
capture response header AUTH_USER len 64
capture response header JSESSIONID len 64
capture request header X-Forwarded-For len 64

#Redirect routes from 80 to 443 (in case they try to come in on http://)
redirect scheme https code 308 if !{ ssl_fc }
http-response set-header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload;”
use_backend stats_backend if { path -i /____rp-stats }
use_backend stats_backend if { path -i /____rp-metrics }

default_backend apache_ping
resolvers dns
parse-resolv-conf
hold valid 10s

backend apache_ping
option httpchk
http-check send ver HTTP/1.1 meth GET hdr Host uri /____ping_proxy_healthz_check.html
http-check expect status 200
default-server maxconn 3200 inter 2s fall 3 rise 2
server-template apache-ping 6 xxxx.svc.cluster.local:444 check resolvers ssl verify none

frontend stats
bind *:8000
option http-use-htx
http-request use-service prometheus-exporter if { path /____rp-metrics }
stats enable
stats uri /____rp-stats
stats auth xxxx:xxxx
stats refresh 10s

backend stats_backend
server stats 127.0.0.1:8000 verify none

You are specifically redirecting traffic from your production frontend to the stats backend with this configuration:

frontend “$HAPROXY_NODE”
 [...]
 use_backend stats_backend if { path -i /____rp-stats }
 use_backend stats_backend if { path -i /____rp-metrics }

You are saying you get /haproxy?stats when you didn’t configure it.

However the configuration above clearly is not what you actually run, because it contains errors that make it impossible to even startup.

Fixing those errors leads to expected behavior: /haproxy?stats is not there:

lukas@dev:~$ curl 127.0.0.1:8000/____rp-stats
<html><body><h1>401 Unauthorized</h1>
You need a valid user and password to access this content.
</body></html>
lukas@dev:~$ curl 127.0.0.1:8000/haproxy?stats
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
lukas@dev:~$ curl 127.0.0.1/haproxy?stat -v
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 80 (#0)
> GET /haproxy?stat HTTP/1.1
> Host: 127.0.0.1
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
< content-length: 0
< location: https://127.0.0.1/haproxy?stat
<
* Connection #0 to host 127.0.0.1 left intact

Thanks for looking into @lukastribus
In our case, both are working

https://proxy-vip/__rp-stats → asking authentication → displaying stats ( expected behaviour since we configured such a way)

https://proxy-vip/haproxy?status -.> no authentication → displaying same stats page like /__rp-stats ( This is not expected since we didn’t configure for /haproxy?stats anywhere in our configuration)

curl https://proxy-vip/haproxy?stats -vL -I

• Trying xxxxxxxxxxxx…
• TCP_NODELAY set
• Connected to xxxxxxxx (xxxxxxxxx) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Request CERT (13):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, Certificate (11):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
• ALPN, server accepted to use h2
• Server certificate:
• subject: xxxxxxxxxxxx
• start date: xxxxxxxxxxxx
• expire date: xxxxxxxxxxxx
• subjectAltName: host “xxxxxxxxxxx” matched cert’s “xxxxxxxxxxxxxx”
• issuer: xxxxxxx
• SSL certificate verify ok.
• Using HTTP2, server supports multi-use
• Connection state changed (HTTP/2 confirmed)
• Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
• Using Stream ID: 1 (easy handle 0x55906a87a8c0)

HEAD /haproxy?stats HTTP/2
Host: xxxxxxxxxxxxxxxxxx
user-agent: curl/7.68.0
accept: /

• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• old SSL session ID is stale, removing
• Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
  < HTTP/2 200
  HTTP/2 200
  < cache-control: no-cache
  cache-control: no-cache
  < content-type: text/html
  content-type: text/html

curl https://proxy-vip/____rp-stats -vL -I

• Trying xxxxxxxxxx…
• TCP_NODELAY set
• Connected to xxxxxxxx (xxxxxxxxxxx) port 443 (#0)
• ALPN, offering h2
• ALPN, offering http/1.1
• successfully set certificate verify locations:
• CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
• TLSv1.3 (OUT), TLS handshake, Client hello (1):
• TLSv1.3 (IN), TLS handshake, Server hello (2):
• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
• TLSv1.3 (IN), TLS handshake, Request CERT (13):
• TLSv1.3 (IN), TLS handshake, Certificate (11):
• TLSv1.3 (IN), TLS handshake, CERT verify (15):
• TLSv1.3 (IN), TLS handshake, Finished (20):
• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
• TLSv1.3 (OUT), TLS handshake, Certificate (11):
• TLSv1.3 (OUT), TLS handshake, Finished (20):
• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
• ALPN, server accepted to use h2
• Server certificate:
• subject: xxxxxxxxxxxxxx
• start date: Feb xxxxxxx
• expire date: Feb xxxxxx
• subjectAltName: host “xxxxx” matched cert’s “xxxxxxxx”
• issuer: xxxxxxxxxx
• SSL certificate verify ok.
• Using HTTP2, server supports multi-use
• Connection state changed (HTTP/2 confirmed)
• Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
• Using Stream ID: 1 (easy handle 0x55fe05d3b8c0)

HEAD /____rp-stats HTTP/2
Host: xxxxxxxxx
user-agent: curl/7.68.0
accept: /

• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
• old SSL session ID is stale, removing
• Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
  < HTTP/2 401
  HTTP/2 401
  < content-length: 112
  content-length: 112
  < cache-control: no-cache
  cache-control: no-cache
  < content-type: text/html
  content-type: text/html
  < www-authenticate: Basic realm=“HAProxy Statistics”
  www-authenticate: Basic realm=“HAProxy Statistics”

I do understand what you are saying.

It’s just that the configuration you provided is not what you are actually running, and after fixing the issues with your configuration, it still does not produce the result you are claiming.

So please provide the actual unredacted and unchanged configuration and also the output of haproxy -vv.

@lukastribus I gave you what config we are running. I only masked a few company-specific names but the remaining config is at it is. I will check one more time and let you know

Ok, then actually reproduce the problem with a configuration you can FULLY share, along with the output of haproxy -vv.

Because, like I said, the configuration you provided does not exhibit the behavior you claim.

Check to see if you have another instance of haproxy running, maybe part of the initial install, systemd can start the daemon can also be started via command with config file, possibly multiple configuration files