HAProxy community

I want to hide destination IP and port of backend

Hi Everyone,
I am new to HAProxy setup. I don’t know what i am doing wrong, please if anyone can help me.
I have 2 applications ( Grafana and Konga) running in below IP/port .
Grafana => 169.144.62.128:32323
Konga => 169.144.62.128:30018
And my HAProxy server is 169.144.62.165.
I want to configure like when i will browse URL http://169.144.62.165/grafana , it will open Grafana application and when i will browse for http://169.144.62.165/konga , it will open konga. Below is my code, i don’t know what wrong i am doing -

frontend mylab
bind 169.144.62.165:80
acl PATH_grafana path_beg -i /grafana
acl PATH_conga path_beg -i /conga
use_backend grafana-backend if PATH_grafana
use_backend conga-backend if PATH_conga

backend grafana-backend
mode http tcp
server grafana1 169.144.62.128:32323

backend conga-backend
mode http tcp
server konga1 169.144.62.128:30018

Anyone can help me please?

Share the entire configuration, not only parts of it, replace mode tcp with mode http everywhere (after all, you want to access the HTTP path in your variable), make sure that both grafana and conga are aware and configured to use the respectives paths /grafana and /conga (as opposed to root) and if it still doesn’t work, please elaborate exactly how this fails (which error messages, etc).

There is no actual path in applications like /grafana and /conga. Actual path may be IP:port/login. I want like user will browse with haproxy IP:port/grafana and it will redirect to actual application server ip:port

Unless you can configure the path in your applications, this will never work, because the internal links will be all wrong and haproxy won’t route them to the correct backend, because the path doesn’t contain /grafana or /conga.

If you can configure the path in your applications good, otherwise you need to change your haproxy configuration and use different hostnames instead of a different path.

Thanks for your reply. i have one question like if i have heard about one thing to use in this kind of case like ‘reqrep’ . Can i use it in my scenario to achieve my object? i am just asking as i am new to this. i mean it can convert user request /grafana to actual backend like /login or only /

No, reqrep can adjust the HTTP request header. It doesn’t adjust wrong links in the HTTP payload.

That’s why you have those two options mentioned earlier. Either the backends knows it doesn’t run at /, or you need to use different hostnames instead.

Again many thanks. Sorry to say, but i am not understanding use of different hostnames. Can you please say in little details? You mean to say different hostnames for 2 application links? can i use /etc/hosts files? but 2 applications exists in same server only different port.
Like you want -
169.144.62.128:32323 grafana.localdomain.net
169.144.62.128:30018 konga.localdomain.net

You point to hostname to the IP address of haproxy (169.144.62.165). In DNS, or in /etc/hosts - whatever works best for your specific scenario. Note that you cannot specify a port, this is a name -> ip address association.

In your browser you do not access the services via http://169.144.62.165/, but via the hostnames instead.

So DNS:

169.144.62.165 grafana.localdomain.net
169.144.62.165 konga.localdomain.net

Then in haproxy, you configure it in HTTP mode and pick your backend based on the host header:

frontend mylab
mode http
bind 169.144.62.165:80
use_backend grafana-backend if { hdr(host) -i grafana.localdomain.net }
use_backend conga-backend if { hdr(host) -i conga.localdomain.net }

Thanks you sir. So ultimately below is my configuration, i am going to apply. is it right?

global

log         127.0.0.1 local2
chroot      /var/lib/haproxy
pidfile     /var/run/haproxy.pid
maxconn     4000
user        haproxy
group       haproxy
daemon


stats socket /var/lib/haproxy/stats

defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000

frontend mylab
mode http
bind 169.144.62.165:80
use_backend grafana-backend if { hdr(host) -i grafana.localdomain.net }
use_backend conga-backend if { hdr(host) -i conga.localdomain.net }

backend grafana-backend
server master-node 169.144.61.128:32323

backend conga-backend
server master-node 169.144.61.128:30018

Yes, that’s what I mean.

Great Sir. This is working like a charm. Thanks a lot.
Now i have one another query to add authentication on this. i was trying but asking credential multiple time, even after login in application. Any suggestion sir? It will be helpful if you can give me the code.

You want to introduce authentication at haproxy layer? Or is there a problem with the application authentication that you want to fix?

i want to introduce sir.

Refer to the documentation regarding:

http-request auth:
https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#4.2-http-request%20auth

user/group/userlists
https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#3.4

This code is connecting to app1 but not opening page for app2.

userlist UsersFor_Auth
user admin insecure-password letmein
user test1 insecure-password abc123

frontend example1_in
bind *:443 ssl crt /etc/pki/tls/certs/haproxy1.pem
acl host_example1 hdr(host) -i www.kolkatalab.net-app1
acl host_example2 hdr(host) -i www.kolkatalab.net-app2
acl authorized http_auth(UsersFor_Auth)
http-request auth realm Example1 if host_example1 !authorized
http-request auth realm Example2 if host_example2 !authorized
use_backend app1-bkend if host_example1 authorized
use_backend app2-bkend if host_example2 authorized

backend app1-bkend
http-request set-header X-Client-IP %[src]
server app1 192.168.1.100:32323 check
http-request del-header Authorization

backend app2-bkend
http-request set-header X-Client-IP %[src]
server app2 192.168.1.100:5050 check
http-request del-header Authorization

Does app2 have their own Basic HTTP authentication? What exactly fails (which HTTP response code, which error message)?

Now i did this code but app2 is not opening. App1 and App3 is opening. And the error is 503 Service Unavailable,No server is available to handle this request.

userlist UsersFor_Auth
user admin insecure-password letmein
user test1 insecure-password abc123

frontend example1_in
bind *:443 ssl crt /etc/pki/tls/certs/haproxy1.pem
acl host_example1 hdr(host) -i kolkatalab.net-grafana
acl host_example2 hdr(host) -i kolkatalab.net-pgadmin
acl host_example3 hdr(host) -i kolkatalab.net-nginx
acl authorized http_auth(UsersFor_Auth)
http-request auth realm Example1 if host_example1 !authorized
http-request auth realm Example1 if host_example1 !authorized
http-request auth realm Example1 if host_example3 !authorized
redirect scheme https if !{ ssl_fc }
mode http
use_backend grafana-bkend if host_example1 authorized
use_backend pgadmin-bkend if host_example2 authorized
use_backend nginx-bkend if host_example3 authorized

backend grafana-bkend
http-request set-header X-Client-IP %[src]
server grafana1 192.168.1.100:32323 check
http-request del-header Authorization

backend pgadmin-bkend
http-request set-header X-Client-IP %[src]
mode http
option forwardfor
option httpchk HEAD / HTTP/1.1\r\nHost:localhost
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server pgadmin1 192.168.1.100:5050 check
http-request del-header Authorization

backend nginx-bkend
http-request set-header X-Client-IP %[src]
server nginx1 192.168.1.100:30080 check
http-request del-header Authorization

So which backend is app2? Either your replace the names in all configurations or none.

app2 means backend pgadmin-bkend ( second backend)