Ssl domain_name:port/url preserver :port to backend

solarjdp69 · April 24, 2020, 7:21pm

We have used haproxy for 6 years in production load balancing SSL https >> the backends and it works OK. Now however, our Development office wants to use an haproxy setup similar to production to switch between two (2) backend development servers.

Current non-haproxy setup is that the existing dev server handles the SSL and has sub-ports for the individual developers who create / modify code in their own port. EG:
https://cworks.dev.plsxpress.com:/712/url_togoto
https://cworks.dev.plsxpress.com:/333/url_togoto
https://cworks.dev.plsxpress.com:/603/url_togoto
and so on…

So I have setup a standalone server Centos 7 with haproxy haproxy18-1.8.1-5.el7.x86_64
and if I leave out the :ports it cconnects to the backend and logins ok, but only to the default :333 port. Logs show that the :333, :712, or :603 never are seen by the backend.

Once I have this working, I have a second backend that has newer php, apache, etc… that we’ll use and acl rule to direct traffic to the newer environment for testing and subsequent development.
The test original server listens on 10.1.1.10 with all the ports mentioned including
333,712, 603,20333, 20712, 20603

I can telnet to each port from the haproxy server (10.1.1.1) and connect to all ports so it’s not a firewall issue. The logs show that only incoming occurs to backend 10.1.1.10 >> when the address is without the :port#. If I use the :port# I always get https://cworks.dev.plsxpress.com:333/mod.php/login.php
Firefox can’t establish a connection to the server at cworks.dev.plsxpress.com:333.

And nothing shows up in the httpd access_log on the backend.

CONFIGURATION

global
# run background/daemon by default.
daemon

    # max number of simultaneous connections. Default 5000
    maxconn 5000

    # run as user
    user haproxy
    group haproxy

    # where the ssl certs are kept
    ca-base /etc/ssl
    crt-base /etc/ssl

    # enable socket admin
    stats socket ipv4@10.1.1.1:9999 level admin

    # chroot for maximum protections
    chroot /var/lib/haproxy

    # log standard clf format.
    #log 127.0.0.1:514 local2 info
    log 127.0.0.1 local2
    #log global

    # Allow long URLs
   tune.bufsize 65535

    # longer for some reason
    tune.ssl.default-dh-param 2048

ssl-default-bind-options no-sslv3 no-tls-tickets

defaults
log global

retries 3

    timeout connect 5s
    timeout client 50s
    timeout server 1800s
    timeout http-keep-alive 5s
    timeout http-request  5s
    balance roundrobin
    default-server inter 4000 weight 10

########### PORT 333 ###########
frontend SynchFrontProd333
mode tcp
option tcplog

bind 10.1.1.1:33

    bind 96.81.169.83:33
    default_backend SynchBack333

frontend SisFrontProd333
mode http
option httplog
option dontlognull
option forwardfor

    http-request set-header X-Forwarded-Port %[dst_port]
    http-request set-header X-Forwarded-Proto https

     bind 96.81.169.83:443 ssl crt star.dev.plsxpress.com.pem no-sslv3

    default_backend logic333

    acl dev_xr2 hdr(host) -i cworks.dev.plsxpress.com:200-900

use_backend logic333 if { req.hdr(Host),regsub(:[0-9]+$,) -i dev.plsxpress.com }

http-request set-dst-port hdr(x-port)

acl logic712 hdr(host) -i cworks.dev.plsxpress.com:712

use_backend logic712 if logic712

    stats uri /haproxy?stats
    stats realm StrictlyPrivate
    stats auth SPADMIN:nimdaAdmin
    errorfile 503 /etc/haproxy/errorfile.http

backend SynchBack333
mode tcp
option tcplog
server server10 10.1.1.10:33333 maxconn 128

server server11 10.1.1.11:33333 maxconn 128

backend logic333
mode http
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
option httpchk OPTIONS * HTTP/1.1\r\nHost:\ cworks.dev.plsxpress.com
option log-health-checks
server server10 10.1.1.10:20333,20712 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

server server603 10.1.1.10:20603 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

server server712 10.1.1.10:20712 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

server server11 10.1.1.11:20333 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

backend logic712
mode http
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
option httpchk OPTIONS * HTTP/1.1\r\nHost:\ cworks.dev.plsxpress.com
server server712 10.1.1.10:712 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

server server10 10.1.1.10 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

server server11 10.1.1.11 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

Can you help?

Baptiste · April 27, 2020, 11:52am

can you reformat your message correctly? it’s not readable at all so we can’t help

solarjdp69 · April 27, 2020, 4:36pm

We have used haproxy for 6 years in production load balancing SSL https >> the backends and it works OK. Now however, our Development office wants to use an haproxy setup similar to production to switch between two (2) backend development servers.

Current non-haproxy setup is that the existing dev server handles the SSL and has sub-ports for the individual developers who create / modify code in their own port. EG:
https://cworks.dev.plsxpress.com:/712/url_togoto
https://cworks.dev.plsxpress.com:/333/url_togoto
https://cworks.dev.plsxpress.com:/603/url_togoto
and so on…

So I have setup a standalone server Centos 7 with haproxy haproxy18-1.8.1-5.el7.x86_64
and if I leave out the :ports it cconnects to the backend and logins ok, but only to the default :333 port. Logs show that the :333, :712, or :603 never are seen by the backend.

Once I have this working, I have a second backend that has newer php, apache, etc… that we’ll use and acl rule to direct traffic to the newer environment for testing and subsequent development.
The test original server listens on 10.1.1.10 with all the ports mentioned including
333,712, 603,20333, 20712, 20603

I can telnet to each port from the haproxy server (10.1.1.1) and connect to all ports so it’s not a firewall issue. The logs show that only incoming occurs to backend 10.1.1.10 >> when the address is without the :port#. If I use the :port# I always get https://cworks.dev.plsxpress.com:333/mod.php/login.php
Firefox can’t establish a connection to the server at cworks.dev.plsxpress.com:333.

And nothing shows up in the httpd access_log on the backend.
CONFIGURATION

global

run background/daemon by default.

daemon

# max number of simultaneous connections. Default 5000
maxconn 5000

# run as user
user haproxy
group haproxy

# where the ssl certs are kept
ca-base /etc/ssl
crt-base /etc/ssl

# enable socket admin
stats socket ipv4@10.1.1.1:9999 level admin

# chroot for maximum protections
chroot /var/lib/haproxy

# log standard clf format.
#log 127.0.0.1:514 local2 info
log 127.0.0.1 local2
#log global

# Allow long URLs

tune.bufsize 65535

# longer for some reason
tune.ssl.default-dh-param 2048

ssl-default-bind-options no-sslv3 no-tls-tickets

defaults
log global
retries 3

timeout connect 5s
timeout client 50s
timeout server 1800s
timeout http-keep-alive 5s
timeout http-request  5s
balance roundrobin
default-server inter 4000 weight 10

########### PORT 333 ###########
frontend SynchFrontProd333
mode tcp
option tcplog
bind 10.1.1.1:33

bind 96.81.169.83:33
default_backend SynchBack333

frontend SisFrontProd333
mode http
option httplog
option dontlognull
option forwardfor

http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https

 bind 96.81.169.83:443 ssl crt star.dev.plsxpress.com.pem no-sslv3

default_backend logic333

acl dev_xr2 hdr(host) -i cworks.dev.plsxpress.com:200-900

use_backend logic333 if { req.hdr(Host),regsub(:[0-9]+$,) -i dev.plsxpress.com }
http-request set-dst-port hdr(x-port)
acl logic712 hdr(host) -i cworks.dev.plsxpress.com:712
use_backend logic712 if logic712

stats uri /haproxy?stats
stats realm StrictlyPrivate
stats auth SPADMIN:nimdaAdmin
errorfile 503 /etc/haproxy/errorfile.http

backend SynchBack333
mode tcp
option tcplog
server server10 10.1.1.10:33333 maxconn 128
server server11 10.1.1.11:33333 maxconn 128

backend logic333
mode http
http-response set-header Strict-Transport-Security max-age=16000000;\ includeSubDomains;
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
option httpchk OPTIONS * HTTP/1.1\r\nHost:\ cworks.dev.plsxpress.com
option log-health-checks
server server10 10.1.1.10:20333,20712 maxconn 256 check agent-check agent-port 9333 agent-inter 4000
server server603 10.1.1.10:20603 maxconn 256 check agent-check agent-port 9333 agent-inter 4000
server server712 10.1.1.10:20712 maxconn 256 check agent-check agent-port 9333 agent-inter 4000
server server11 10.1.1.11:20333 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

backend logic712
mode http
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
option httpchk OPTIONS * HTTP/1.1\r\nHost:\ cworks.dev.plsxpress.com
server server712 10.1.1.10:712 maxconn 256 check agent-check agent-port 9333 agent-inter 4000
server server10 10.1.1.10 maxconn 256 check agent-check agent-port 9333 agent-inter 4000
server server11 10.1.1.11 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

Can you help?
2
3 / 3

solarjdp69 · April 28, 2020, 8:27pm

Done!

solarjdp69 · May 7, 2020, 12:19am

I’m still waiting and hoping that someone can help me with this.

I want to preserver the URL line includinging the port# and forward it to the backend.

Example:

https://jp.dev.plsxpress.com:712/login.php >> backend as
https://jp.dev.plsxpress.com:712/login.php

And https://jp.dev.plsxpress.com:555/login.php >> backend as https://jp.dev.plsxpress.com:555/login.php

And so on. I have the ports to listen for bound and can get logged in and haproxy log shows that it goes to the backend OK, but subsequent url requests are stripped of the 712: or 555: so it does not get to the correct directory or development port.

What kind of ACL / use combination or http options do I need to accomplish this. One person Baptiste said they couldn’t read my post/config file, but I can clearly seee it. I re-formatted it anywau and hope it is clear. Any help is appreciated.

solarjdp69 · May 26, 2020, 9:26pm

Hello Baptiste.

I re-entered it all in and it looks fine from here. Can you please take another look?
See my description on what I’m trying to accomplish.

Thank you

Topic		Replies	Views
Backend using https on different port Help!	5	5863	November 9, 2018
HAProxy use a backend that is only accessible on HTTPS Help!	7	31611	July 19, 2020
One port to catch HTTP and HTTPS requests and redirect to the HTTPS version Help!	15	14483	October 22, 2021
Include urls in backend Help!	20	3267	January 13, 2020
SSL loop issues Help!	1	3536	April 17, 2019

Ssl domain_name:port/url preserver :port to backend

CONFIGURATION

ssl-default-bind-options no-sslv3 no-tls-tickets

retries 3

bind 10.1.1.1:33

use_backend logic333 if { req.hdr(Host),regsub(:[0-9]+$,) -i dev.plsxpress.com }

http-request set-dst-port hdr(x-port)

acl logic712 hdr(host) -i cworks.dev.plsxpress.com:712

use_backend logic712 if logic712

server server11 10.1.1.11:33333 maxconn 128

server server603 10.1.1.10:20603 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

server server712 10.1.1.10:20712 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

server server11 10.1.1.11:20333 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

server server10 10.1.1.10 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

server server11 10.1.1.11 maxconn 256 check agent-check agent-port 9333 agent-inter 4000

run background/daemon by default.

Related topics