HAProxy community

Proxy S3 and API gateway


I’m fairly new to HAProxy so please assume there are multiple errors in my config :slight_smile:

I’m trying to proxy two parts of my app.

gcd.abc.com/ => Amazon S3
gcd.abc.com/api => API Gateway

My frontends look like this:

frontend http-in
        bind *:80 accept-proxy
        capture request header Host len 64
        # Permanent redirect HTTP to HTTPS
        redirect scheme https code 301 if !{ ssl_fc }

frontend https-in
        bind *:443 accept-proxy ssl crt /etc/ssl/xyz.co.pem
        capture request header Host len 64
        # HTTP header Security
        http-response del-header (Server|X-AspNet-Version|X-Powered-By)

        acl gcd hdr_beg(host) -i gcd.
        acl gcd_api hdr_beg(host) -i gcd. path_beg /api # I'm fairly sure this is wrong??

        use_backend gcd-static if host_gcd
        use_backend gcd-api if gcd_api

        use_backend fia if { path_beg /service/ifm } #other stuff that works
        use_backend calendar if { path_beg /service/calendar } #more other stuff which works

And my relevant backends look like this:

backend gcd-static
        http-request set-header Host xbc.abc.co.s3-website-eu-west-1.amazonaws.com
        server gcd-static s3.eu-west-1.amazonaws.com:80 check

backend gcd-api
        http-request set-header Host foobar.execute-api.eu-west-1.amazonaws.com
        http-request set-path /gcd/%[path]
        mode http
        option forwardfor
        server gcd-api foobar.execute-api.eu-west-1.amazonaws.com:443 ssl verify none sni str(foobar.execute-api.eu-west-1.amazonaws.com)

I have to admit some of this was copy-paste and I don’t know what some of the things are like sni and I’m not sure how to chain conditions together.

The problem that i’m getting is, I don’t get any data back when I curl like this:

curl -H "Host gcd.xyc.com" http://my_haproxy_ip

The log looks like this

Sep 26 10:45:16 ip-10-100-10-74 haproxy[10871]: [26/Sep/2019:10:45:16.866] http-in http-in/<NOSRV> 0/-1/-1/-1/0 301 105 - - LR-- 1/1/0/0/0 0/0 {gcd.xyz.com} "GET / HTTP/1.1" - - 1-5D8C96BC-5D6D0625D4390A6401CF0050

I’ll need to look at this later and check over the ACL’s (it’s getting late) but first you need to remove “accept-proxy” from your frontend. That means accept proxy protocol and it will need that in all traffic for it to work.

If you need proxy protocol later we can look at doing it selectively maybe…