Need help HAproxy in bridge mode between 2 ssl connection for CAS server

aliaj00 · July 19, 2018, 5:44pm

Hi Guys,
I am trying to configure cas servers to use a haproxy+keepalive with the main cert for the site on haproxy and wildcard certs for the CAS servers in the pool.
I can get to the CAS Servers but if i got to tomcat management portal it shows as the client ip the one of the haproxy instead of the client i am accessing it from.

the configuration i am having so far is the following:

    #---------------------------------------------------------------------
    # Example configuration for a possible web application.  See the
    # full configuration options online.
    #
    #   http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
    #
    #---------------------------------------------------------------------

    #---------------------------------------------------------------------
    # Global settings
    #---------------------------------------------------------------------
    global
        # to have these messages end up in /var/log/haproxy.log you will
        # need to:
        #
        # 1) configure syslog to accept network log events.  This is done
        #    by adding the '-r' option to the SYSLOGD_OPTIONS in
        #    /etc/sysconfig/syslog
        #
        # 2) configure local2 events to go to the /var/log/haproxy.log
        #   file. A line like the following can be added to
        #   /etc/sysconfig/syslog
        #
        #    local2.*                       /var/log/haproxy.log
        #
        log         127.0.0.1 local2 debug
        ##TT ADDING LOGGING TO RSYSLOG ON 127.0.0.1


        chroot      /var/lib/haproxy
        pidfile     /var/run/haproxy.pid
        maxconn     4000
        user        haproxy
        group       haproxy
        daemon

        # turn on stats unix socket
        stats socket /var/lib/haproxy/stats

    #---------------------------------------------------------------------
    # common defaults that all the 'listen' and 'backend' sections will
    # use if not designated in their block
    #---------------------------------------------------------------------
    defaults
        mode                    http
        log                     global
        option                  httplog
        option                  dontlognull
        option http-server-close
        option forwardfor       except 127.0.0.0/8
        option                  redispatch
        retries                 3
        timeout http-request    10s
        timeout queue           1m
        timeout connect         10s
        timeout client          1m
        timeout server          1m
        timeout http-keep-alive 10s
        timeout check           10s
        maxconn                 3000
    #TT
        stats                   enable
        stats                   uri /stats
        stats realm Haproxy\ Statistics
        stats auth******:*********

    #---------------------------------------------------------------------
    # main frontend which proxys to the backends
    #---------------------------------------------------------------------
    frontend  main
        bind 10.1.1.112:8443,10.2.1.3:8443 ssl crt /etc/pki/tls/private/casdev.test.lab-conmbined-key-and-cert.pem
    #     bind *:8443 ssl crt /etc/pki/tls/private/casdev.test.lab-conmbined-key-and-cert.pem    

    #    http-request add-header X-Client-IP %[src]
    #    http-request add-header X-Forwarded-Port %[dst_port]
    #    http-request add-header X-Forwarded-For %[src]
    #    http-request add-header X-Forwarded-Proto https if { ssl_fc }

        reqadd X-Forwarded-Proto:\ https
        reqadd X-forwarded-Port:\ 8443
        mode http
        acl url_static       path_beg       -i /static /images /javascript /stylesheets
        acl url_static       path_end       -i .jpg .gif .png .css .js

    #    use_backend static          if url_static
        default_backend             app
    ##TT

    frontend web1
        bind 10.2.1.3:80,10.1.1.112:80
    #    bind 10.2.1.3:80,10.1.1.112:80
        mode http
        acl url_static       path_beg       -i /static /images /javascript /stylesheets
        acl url_static       path_end       -i .jpg .gif .png .css .js

    default_backend             web1


    #---------------------------------------------------------------------
    # static backend for serving up images, stylesheets and such
    #---------------------------------------------------------------------
    backend static
        balance     roundrobin
        server      static 127.0.0.1:4331 check

    #---------------------------------------------------------------------
    # round robin balancing between the various backends
    #---------------------------------------------------------------------

    #backend app
    #    balance     roundrobin
    #    server  app1 127.0.0.1:5001 check
    #    server  app2 127.0.0.1:5002 check
    #    server  app3 127.0.0.1:5003 check
    #    server  app4 127.0.0.1:5004 check

    ##TT

    backend app
        balance     roundrobin
        mode http
        #option httpchk GET /health_check
        option  redispatch
        cookie SERVERID insert indirect nocache

        server cas1.test.lab 10.1.1.101:8443  check ssl cookie required ca-file /etc/pki/tls/certs/ca-chain.cert.pem
        server cas2.test.lab 10.1.1.102:8443  check ssl cookie required ca-file /etc/pki/tls/certs/ca-chain.cert.pem

    backend web1
        balance     roundrobin
        mode http
    server web1.test.lab 10.1.1.120:80 check
    server web2.test.lab 10.1.1.121:80 check

Topic		Replies	Views
Need help on haproxy with CAS server. ssl on both sides Help!	0	493	July 18, 2018
Https configuration for haproxy Help!	5	474	January 24, 2022
SSL Deployments Help!	3	495	September 4, 2020
HAProxy SSL offloading/termination Help!	1	1407	March 31, 2017
Configure HAProxy to Bridge H2 or HTTPS/1.1 to HTTPS/1.1 Help!	1	1428	December 10, 2016

Need help HAproxy in bridge mode between 2 ssl connection for CAS server

Related Topics