Port Lost on frontend with 302 redirect

Help!
1

Hi all.

I’m trying to proxy an internal server with OWA installed.

this is my haproxy config

global

  • set-dumpable*

  • user nobody*

  • group nogroup*

  • log stdout local0*

  • strict-limits*

  • h1-case-adjust cache-control CaChE-CoNtRoL*
    defaults

  • mode http*

  • log 127.0.0.1:514 local0*

  • timeout client 5s*

  • timeout server 5s*

  • timeout connect 5s*

  • option redispatch*

  • option httplog*

  • SlowLoris Attack*

  • timeout http-request 5s*

  • option http-buffer-request*

frontend owa_frontend

  • bind :8400 ssl crt /opt/certs/Owa.pem ssl-min-ver TLSv1.1 *
  • option forwardfor*
  • http-request add-header X-Forwarded-Proto https if { ssl_fc }*
  • mode http*
  • default_backend be_main_10000*

backend be_main_10000

  • retry-on all-retryable-errors*
  • retries 3*
  • option forwardfor*
  • http-request add-header X-Forwarded-Port %[dst_port]*
  • http-request add-header X-Forwarded-Proto https if { ssl_fc }*
  • server server_10000 192.168.10.10:443 ssl verify none*

The frontend listens on 192.168.10.9:8400 and the Exchange OWA listens on 192.168.10.10:443
When I acces to my haproxy instance “https://192.168.10.9:8400/owa” I loose the port on the frontend

Ex:

curl -ikv https://192.168.10.9:8400/owa

------ (cut a lot of stuff) -----
Object moved to href=“https://192.168.10.9/owa/auth/logon.aspx?url=https%3A%2F%2F192.168.10.9%2Fowa&reason=0”>

The port is lost, so I cannot access (I have to manually put the “:8400” to get it work).
Is it possible to “force” that 302 redirection to not affect the URL ?

Thanks !

2

I’m the only with this issue ?

3

The port is added in the X-Forwarded-Port header. So I guess it is a OWA configuration issue. But I don’t know how it could be configured to use the header value.

4

Hi capflam, thanks a lot for your reply.

Do you know if is it possible to ask something like “If port is not set y X-Forwarded-Port then add it”

I don’t know hoy to do this.

thanks again !

5

Strange how this works OK with Pound out of the box.

I’m going to give a try pound over haproxy.

Thanks everyone !

6

Sorry, I’m not sure to understand. In your HAProxy’s configuration, you are adding all information (IP, scheme and port) via X-Forwarded- headers to let the server to properly format URLs in the responses. At this stage, from HAProxy side, there is nothing much to do. So I guess there is something to configure in OWA to use these info. the IP is already set as expected. The Proxy one is used instead of the server one. The same must be done with the port. About the scheme, it is hard to know because your are requesting the server in SSL.

7

Thanks very much Cristopher!

I understand what you are writing here, honestly I’m doing the same test with pound (just a frontend listenting https and forwarding to a backend https in another port), and I don’t loose the port on the redirection.

I’m going to use pound for know but if I can I’ll give some more tries to haproxy.

Thanks again !

8

Well, I don’t know how Pound works. But if means there is something added by Pound in the request that can be used by the OWA server to properly format the URLs. By any chance, could you share the Pound configuration ? It may help to understand what is missing in your HAProxy configuration.

9

Sure no problem.

This is the config I’m testing (this config just works). I put pound to listen on port 8443 and to redirect everything to port 443 on OWA

START CONFIG

LogLevel 1
IgnoreCase 1
ListenHTTPS
Address 0.0.0.0
Port 8433 (port of frontend)
Cert “/path/to/certificate.pem”
Disable TLSv1

# Backend Server
Service
    Backend
        Address X.X.X.X (Ip of Owa)
        Port 443 (Port)
        HTTPS
    End
End

End
END CONFIG

This is on the manual page, does it have anything to do with it?

RewriteLocation 0|1|2
If 1 force Pound to change the Location: and Content-location: headers in responses. If they point to the back-end itself or to the listener (but with the wrong protocol) the response will be changed to show the virtual host in the request. Default: 1 (active). If the value is set to 2 only the back-end address is compared; this is useful for redirecting a request to an HTTPS listener on the same server as the HTTP listener.

Thanks again !

10

Ok, So it seems Pound is able, by default to rewrite the Location and Content-location headers. So you can do the same with HAProxy, via a http-response set-header rule. However, I’m a bit puzzled because in your first message, the response snippet to the curl request suggests it is not only an issue with the response headers. There are some links in response payload with the wrong URL. In this case, the issue is still here but probably less visible. It could be good to check. Because rewriting some headers is not a big deal, rewriting the payload is another story.

In the mean time, here is an quick and untested example to do the “same” than Pound:

   http-response replace-header Location "(https?)://[^/]+/(.*)" "\1://%[dst]:%[dst_port]/\2"
   http-response replace-header Content-Location "(https?)://[^/]+/(.*)" "\1://%[dst]:%[dst_port]/\2"
1 Like
11

Wow Christopher, that worked !!

Thank you very much !!