Include urls in backend

Help!
1

Hello All,

I’m new to haproxy and trying to set up things.

Here is what I have done until now .

Frontend main
mode http
bind:9900
Default_backend qa

backend qa
mode http
Http request redirect location https://qanewserver:9555/new service/search

Is there a way to achieve this ? I’m ok to try with different protocol modes as well. Just need some guidance to route to a https URL in backend . ( I don’t have a static ip for backend and cannot use ip)

Thanks much in advance .

2

Please explain what you want to achieve by spelling it out verbosely.

3

We have clients hitting a URL say https://qa.newproject:8900/search, ( this is a Load balanced URL) I have haproxy server as one of the servers under lb . I wanted to route whatever comes to that URL and in turn to haproxy to https://containerqa.newproject:6700/search

I hope it makes sense now . Please let me know if not will try to put it better words .

4

Question is:

does it suffice to just forward the TCP payload from port 8900 of the LB IP to your destination servers port (6700) - this means the client will see the certificate of your backend server and haproxy itself does not terminate SSL (and therefor does not need a certificate).

Or do you need to rewrite HTTP Host headers, SSL SNI, or use a certificate on haproxy - therefor terminating SSL and reencrypting the traffic towards the backend server.

5

Lucas,

Thanks for helping out !

Forwarding tcp payload from port 8900 to destination url is what I need … destination service is hosted on cloud platform and doesn’t have a stable ip. So I wanted to forward the payload to a URL instead if ip and port .

6

Something like this:

defaults
 mode tcp
 timeout client 60s
 timeout server 60s
 timeout connect 10s

resolvers googledns
 nameserver 8888 8.8.8.8:53
 nameserver 8844 8.8.4.4:53
 hold valid 10s

frontend front
 bind :8900
 default_backend bak

backend bak
 server srv1 containerqa.newproject:6700 resolvers googledns resolve-prefer ipv4
7

Lucas,

Correct . Also is it mandatory to mention srv1 ip in backend ?

8

You can call it whatever you like. But a name is needed.

9

Thank you ! So resolvers in the config is something that should be used .

Can you please point me to some documentation or notes on the same so that I can go through and try it out ?

10

https://cbonte.github.io/haproxy-dconv/2.0/configuration.html#5.3.2

11

Hi Lucas,

This is my config , im using haproxy version 1.5.18
Problem that i have is - route to backend qa2 is working fine as it is static server and have a static ip.
route to qa21 is not working. 7843-qa.apps.c1-testqa.tesdomain.org.com is getting translated to an IP, however i dont want that to happen and backend expects to send/forward the request to hostname 7843-qa.apps.c1-testqa.tesdomain.org.com

is there any way to do it?

log 127.0.0.1:514 local0
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
#---------------------------------------------------------------------
defaults
mode tcp
log global
option tcplog
option dontlognull
log-format “%{+E,+Q}%H,BACKEND_IP_PORT:%si:%sp,FRONTEND_IP_PORT:%ci:%cp,httprequest:%r,capture.req.hdr(2)”
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
#---------------------------------------------------------------------
frontend main
bind *:6905
bind *:6906
acl d1 dst_port 6905
use_backend qa2 if d1
acl d2 dst_port 6906
use_backend qa21 if d2
backend qa21
server app 7843-qa.apps.c1-testqa.tesdomain.org.com
backend qa2
server app testqa.tesdomain.org.com:6905

12

I don’t know what that means. Of course the hostname is resolved to an IP address.

13

Is there a way to forward the requests to URL with host name ?hostname is open shift hostname and If the host name resolves to an ip, it is causing a 503 error.

Openshift team says I need to forward the requests to hostname instead of ip.

So wanted to know if there is a way to do it …

Much thanks in advance .

14

The hostname is resolved to an IP addresses because that is how the sockets connect to each other, from one IP address to another.

Your backend probably requires haproxy to rewrite the incoming Host header with whatever the backend expects, try adding the hostname with the http-request set-header Host xyz directive in your backend configuration, something like:

backend blabla
 http-request set-header Host 7843-qa.apps.c1-testqa.tesdomain.org.com
 server app 7843-qa.apps.c1-testqa.tesdomain.org.com
15

guess i will have to do it in http mode? it gives me this error when i change the mode to http

Server qa2/app is DOWN, reason: Layer6 invalid response, info: “SSL handshake failure”, check duration: 36ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
: backend qa2has no server available!
J [12/Jan/2020:15:55:09.208] main qa2/ 4/-1/-1/-1/4 503 212 - - SC-- 0/0/0/0/0 0/0 “GET /” 0A3C2406:7F60_0AF1C219:1AF9_5E1B87AD_0000:21AF

16

Yes, this will require a complete reconfiguration.

You need to get a SSL certificate for 7843-qa.apps.c1-testqa.tesdomain.org.com, install it on haproxy, and use mode http instead of mode tcp. You will also have to add the ssl keyword to the backend (with a ca-file or verify none for SSL certificate verification).

17

Thanks Lucas.

I did that and this error was after changing my config to http.

#-------------------------------------------------------------------
backend qa21
server app 7843-qa.apps.c1-testqa.tesdomain.org.com:443 maxconn 32 check ssl verify none
backend qa2
server app testqa.tesdomain.org.com:6905 maxconn 32 check ssl verify none

previously qa2 which is a VM has a static ip used to work in tcp mode, after chanaging to http mode , that doesnt work as well.

18

Also one more update just tried is -
error for backend qa2 - Server qa2/app is DOWN, reason: Layer6 invalid response, info: “SSL handshake failure”, check duration: 36ms. 0 active and 0 backup servers left. 0 sessions active, 0 requeued, 0 remaining in queue.
: backend qa2has no server available!
J [12/Jan/2020:15:55:09.208] main qa2/ 4/-1/-1/-1/4 503 212 - - SC-- 0/0/0/0/0 0/0 “GET /” 0A3C2406:7F60_0AF1C219:1AF9_5E1B87AD_0000:21AF

error for backendqa21 :

main main/ -1/-1/-1/-1/7 400 187 - - PR-- 0/0/0/0/0 0/0 "BADREQ " 0A3C253C:CF70_0AF1C219:1AF9_5E1B8CCE_0033:450C
main qa21/app 0/0/6/1/7 503 3278 - - ---- 0/0/0/0/0 0/0 “GET /” 0A3C2406:6520_0AF1C219:1AF9_5E1B8CD0_0034:450C

19

First of all remove the check keyword. There is no point in health checking if you only have a single backend server.

Retry without that, if it still doesn’t work, try sending the hostname with SNI as well (sni str(<hostname>) on the server line)

So it should look like:

backend blabla
 http-request set-header Host 7843-qa.apps.c1-testqa.tesdomain.org.com
 server app 7843-qa.apps.c1-testqa.tesdomain.org.com maxconn 32 ssl verify none sni str(7843-qa.apps.c1-testqa.tesdomain.org.com)
20

Thanks Lucas!

removing the check keyword eliminated the ssl handshake failure error. however i still keep on getting the badreq and nosrv with 400 and 503 errors.

I tried with your suggestion to include sni str , but loosk like sni is not supported on 1.5.18 - ‘server app’ unknown keyword ‘sni’.

this is the only version of haproxy available now for us to install, anyother suggestions based on the version of haproxy please?