Struggle with ACL

Hi i want to using Haproxy to reserve proxy “Geth RPC”

let’s say proxy server = 1.1.1.1

backend server A = 2.2.2.2

backend server B =3.3.3.3

what i need is

if i access https://1.1.1.1/h1 and proxy to 2.2.2.2:16666 with http ssl
if i access https://1.1.1.1/h2 and proxy to 3.3.3.3:16666 with http ssl

if i access https://1.1.1.1/w1 and proxy to 2.2.2.2:16888 with ws ssl
if i access https://1.1.1.1/w2 and proxy to 3.3.3.3:16888 with ws ssl

was doing a lot research in chinese guide and they won’t work at all

i’ve using haproxy 2.8 2.79 2.2.9

basically something like:

use_backend backend_server_a_h1      if { hdr(host) -i 1.1.1.1 } { path_beg /h1/ }
use_backend backend_server_b_h2      if { hdr(host) -i 1.1.1.1 } { path_beg /h2/ }
use_backend backend_server_a_w1      if { hdr(host) -i 1.1.1.1 } { path_beg /w1/ }
use_backend backend_server_b_w2      if { hdr(host) -i 1.1.1.1 } { path_beg /w2/ }

backend backend_server_a_h1
        server server_a 2.2.2.2:16666
		
backend backend_server_b_h2
        server server_b 3.3.3.3:16666
		
backend backend_server_a_w1
        server server_a 2.2.2.2:16888
		
backend backend_server_b_w2
        server server_b 3.3.3.3:16888

best regards,
Markus

Hi appreciate your help

really do a lot work for acl stuff

and this code which u type is not working

let me show you full code

the backend server “no problem” cuz i can reverse proxy without acl control

for now i was using different domain to control access specify backend server

but it too annoying , i was wonder like /h1 /h2 /w1 /w2 controll aceess with only one domain

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    user root
    group root
    daemon
    maxconn 30000
    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # See: https://ssl-config.mozilla.org/#server=haproxy&server-version=2.0.3&config=intermediate
    ssl-default-bind-ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECD>
    ssl-default-bind-ciphersuites TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
    ssl-default-bind-options ssl-min-ver TLSv1.2 no-tls-tickets


defaults
    log     global
    mode    tcp
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  5000
    timeout http-keep-alive 2h
    option http-server-close                  
    option forwardfor 
    maxconn 30000
    option http-keep-alive

    

frontend proxy
        bind *:443 ssl  crt /root/ssl/maiko.pem
        option http-keep-alive
        acl hdr_connection_upgrade hdr(Connection)	-i upgrade
        acl hdr_upgrade_websocket	hdr(Upgrade)	-i websocket
	http-request add-header X-Forwarded-Proto https
        http-response set-header Access-Control-Allow-Origin "*"
        http-response set-header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, JSNLog-RequestId, activityId, applicationId, applicationUserId, channelId, senderId, sessionId"
        http-response set-header Access-Control-Max-Age 3628800
        http-response set-header Access-Control-Allow-Methods "GET, DELETE, OPTIONS, POST, PUT"      




use_backend backend_server_a_h1      if { hdr(host) -i 127.0.0.1 } { path_beg /h1 }
use_backend backend_server_b_h2      if { hdr(host) -i 127.0.0.1 } { path_beg /h2 } 
use_backend backend_server_a_w1      if { hdr(host) -i 127.0.0.1 } { path_beg /w1 }
use_backend backend_server_b_w2      if { hdr(host) -i 127.0.0.1 } { path_beg /w2 }

backend backend_server_a_h1
        server server_a xxx.maiko.icu:16666
		
backend backend_server_b_h2
        server server_b yyy.maiko.icu:16666
		
backend backend_server_a_w1
        server server_a xxx.maiko.icu:16888
		
backend backend_server_b_w2
        server server_b yyy.maiko.icu:16888

proxy server 's domain was

proxy.maiko.icu

so in this example i was accessing https://proxy.maiko.icu/h1 h2 w1 w2 from external

Hi,

when the host-header is proxy.maiko.icu, you should use this host-header in the backend decision, too:

use_backend backend_server_a_h1      if { hdr(host) -i proxy.maiko.icu } { path_beg /h1 }
use_backend backend_server_b_h2      if { hdr(host) -i proxy.maiko.icu } { path_beg /h2 } 
use_backend backend_server_a_w1      if { hdr(host) -i proxy.maiko.icu } { path_beg /w1 }
use_backend backend_server_b_w2      if { hdr(host) -i proxy.maiko.icu } { path_beg /w2 }

best regards,
Markus

still same issue

this is really weird

“the same issue” means in detail? What does the log say?
I would be a good idea, to use the http-mode instead of tcp-mode, too.

best regards,
markus

“same issue” mean it’s can’t connect to bsc.maiko.icu:16666

in my opinion

when i access https://proxy.maiko.icu/h1 it’s mean proxy to http://xxx.maiko.icu:16666/h1 ?

so it’s will cause problem

what i want is just proxy to http://xxx.maiko.icu:16666

log has nothing problem and also changing to mode http too

implement by another way without “path_beg”

thx…

You need to be in HTTP mode, not TCP mode if you want to do anything related to HTTP headers (read HTTP headers, add HTTP headers, etc).

hi it’s http mode already and let me show you the result and code

error1514×418 115 KB

left side is direct access the address what i want

and right side is access reverse proxy

and not the result what i want, i want to access directly like http://bsc.maiko.icu:16666

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats timeout 30s
    user root
    group root
    daemon
    maxconn 30000



defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    timeout connect 10s
    timeout client  200000s
    timeout server  10s
    timeout http-keep-alive 2h
    option http-server-close                  
    option forwardfor 
    maxconn 30000
    option http-keep-alive





    

frontend proxy
        bind *:80
        option http-keep-alive
        acl hdr_connection_upgrade hdr(Connection)	-i upgrade
        acl hdr_upgrade_websocket	hdr(Upgrade)	-i websocket
	http-request add-header X-Forwarded-Proto https
        http-response set-header Access-Control-Allow-Origin "*"
        http-response set-header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Authorization, JSNLog-RequestId, activityId, applicationId, applicationUserId, channelId, senderId, sessionId"
        http-response set-header Access-Control-Max-Age 3628800
        http-response set-header Access-Control-Allow-Methods "GET, DELETE, OPTIONS, POST, PUT"      




use_backend backend_server_a_h1      if { hdr(host) -i proxy.maiko.icu } { path_beg /h1 }
use_backend backend_server_b_h2      if { hdr(host) -i proxy.maiko.icu } { path_beg /h2 } 
use_backend backend_server_a_w1      if { hdr(host) -i proxy.maiko.icu} { path_beg /w1 }
use_backend backend_server_b_w2      if { hdr(host) -i proxy.maiko.icu } { path_beg /w2 }

backend backend_server_a_h1
        server server_a bsc.maiko.icu:16666
		
backend backend_server_b_h2
        server server_b bsc2.maiko.icu:16666
		
backend backend_server_a_w1
        server server_a bsc.maiko.icu:16888
		
backend backend_server_b_w2
        server server_b bsc2.maiko.icu:16888

but again if i using single reverse proxy without acl control it’s will be ok

but for my usage environment i really need something like /h1 /h2 to control it

An ACL will only match what you want to match.

But /h1 will still be sent to your backend. I’m assuming the request is routed to the correct backend but 404s because it doesn’t know what to do with the path /h1.

You can also rewrite the request to remove h1 from the path.

The reason this is a terrible idea is that this will only rewrite the HTTP URI. If the page references /style.css and /functions.js, haproxy won’t know how to route them correctly, because they don’t contain the /h1 reference.

If you really only have websocket upgrades in there, YMMV. With a normal webpage this would certainly be a disaster, unless you can configure the backend application so it does not assume path / but path /h1/

Routing based on different hostames is a lot simpler and in many cases the only realistic option.

understood like i guess 2days ago it’s will acess http://xxx.maiko.icu:16666/h1

but for my usage condition it’s not a website or something will effect this

my usage condition it’s just blockchain node rpc so it’s just only need to acces domain:16666 :16888

so i can rewrtie to delete /h1 /h2 /w1 /w2 at backend

can u teach me how to , rewrite to delete /h1 /h2 /w1 /w2 at backend?

guess using

http-request replace-value
or
http-request set-header host

trying to coding some example but not working…

finally using replace-path to implement my request

thx for give me idea

Hi lukastribus

i was finally solve the problem by “replace-path”

but only in frontend port 80 or 443

but if i listening different like 888 999 the “replace-path” will fail by same code

like http://proxy.maiko.icu:888/h1

how to redirect to bsc.maiko.icu:16666

did u know where can i find the symbol rules for rewirte stuff like / /\1 <== i don’t really understand what this mean

Refere to the documentation:

http://docs.haproxy.org/2.6/configuration.html#4.2-http-request%20replace-path

It’s a regular expression.

damn…

it’s so hard , after reading still can’t coding correct code

Haproxy has perfect performance but it’s really hard for matching my usage environment

same problem it’s was easy to writing in nginx haha

seems to i 'd need few proxy server…