HAProxy community

Rewrite URL without modifying underlying functionality

Running into a bit of challenge with URL re-writes. I am trying to whitelabel some of our services…

Lets say we offer a service at portal.company.com

now we setup tenants within that environment and without any whitelablel they can login with the following portal.company.com/login/tenant1.

what i would like to do is just do a rewrite for portal.company.com to portal.tenant.com while still leaving the ability for other users to access portal.company.com

What i have so far is as follows:

   frontend https_443_frontend
   mode http
   bind *:443 ssl crt certlocation
   http-request set-header X-Forwarded-Port %[dst_port]
   http-request add-header X-Forwarded-Proto https if { ssl_fc }
   http-request replace-uri ^portal.company1.com.*) portal.tenant.com\1 if { hdr(host) -i portal.tenant.com }
   acl host_portal_443 hdr(host) -i portal.company1.com
   acl host_tenant_443 hdr(host) -i portal.tenant.com
   use_backend portalbackend if host_portal_443
   use_backend whitelabel if host_tenant_443

   backend whitelabel
   mode http
   # option httpclose
   # option forwardfor
    balance roundrobin
    cookie SERVERID insert indirect nocache
    server pool1.company.com x.x.x.x:443 ssl verify non check cooike s1
    server pool2.company.com x.x.x.x:443 ssl verify non check cooike s1

the above replace-uri - that actually does replace the url however the moment you interact with it it reverts back… so i can imagine i am missing some session handling and more than likely how its handling some of the headers.

any help would be greatly appreciated.

Hi @jared_t

can you tell me why you need to replace the URL?
Each tenant has a unique login page portal.company.com/login/tenantN after they logged in they will redirect back to portal.company.com is it true?
Now you want to give customers a CNAME to portal.company.com for this just you need to handle it on origin servers.
or I don’t understand your case at all :smiley:

Arash - i apologize as you can tell i am not by any means a load balancing guru - i am a jack of all trades master of none.

we were able to solve the issue for now… it appears this seems to work for us.

        http-request replace-value Location ^portal.company1.com(.*) portal.company2.com\1 if { hdr(host) -i portal.company2.com }


        http-request replace-value Location ^https://portal.company2.com(.*)$ https://portal.company1\1
        http-response replace-value Location ^https://portal.company1(.*)$ https://portal.company2.com\1

So far this redirects as expected. We have done this in two different cases. We also added an permanent https redirect for http to https… and then we also did a beg path to redirect the tenant as well…

   http-request redirect code 301 location https://portal.company2.com/login/account/company2 if { hdr(host) -i portal.company1.com } { path /login/account/company2 }

I won’t deny there are probably better ways to do this but for the time being this seemed to solve our problems. If we were to move to F5 this may eliminate the need for all this manual labor.

The app that we are using now shows in the logs that the request is coming from portal.company2.com but allows authentication and allows the sub tenant to work properly.

If anyone has recommendations of better methods then i am open to all and any recommendations.