URL redirect HAproxy

Marshall · October 14, 2021, 8:39am

Hi guys,
I need to use ADFS with HAPROXY.
At the moment the only problem I have is that I can’t make the redirect from https://adfsstg.xxx.com to https://adfsstg.xxx.com/adfs/ls/IdpInitiatedSignOn.aspx
this is my frontend:

frontend adfsstg
  bind 10.129.10.3:443 ssl crt /etc/ssl/certs/wildcard.pem
  mode http
  redirect scheme https if !{ ssl_fc }
  acl is_root path -i  /
  redirect code 301 location adfsstg.xxx.com/adfs/ls/IdpInitiatedSignOn.aspx  if is_root
  use_backend adfsstg

this is my backend:

backend adfsstg
  balance roundrobin
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  mode http
  http-request deny if !{ src -f /etc/haproxy/allowedoffices.acl }
  server adfsstg.xxx.com 10.129.9.144:443 check ssl verify none

can you help me please?
Thank you so much

ciprian.craciun · October 14, 2021, 11:53am

What is the actual problem? Could you include the output of curl -v https://asdsstg.xxx.com?

My hunch is that it redirects to https://asdsstg.xxx.com/asdfsstg.xxx.com/adfs/... (i.e. it doubles the domain.)

To fix this just use the path in for redirect, as in redirect code 301 location /adfs/ls/..., or use the full URL as in https://....

Marshall · October 14, 2021, 1:01pm

Hi ciprian,
thanks for your reply!
this is the output of curl

curl -v https://adfsstg.xxx.com
* About to connect() to adfsstg.xxx.com port 443 (#0)
*   Trying 185.44.23.241...
* Connected to adfsstg.xxx.com (185.44.23.241) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=www.xxx.com,OU=Multi-Domain SSL,O=xxx,STREET=x xx,L=xxx,ST=xxxlCode=xx,C=xx
* 	start date: Sep 05 00:00:00 2019 GMT
* 	expire date: Dec 02 23:59:59 2021 GMT
* 	common name: www.xxx.com
* 	issuer: CN=Sectigo RSA Organization Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: adfsstg.xxx.com
> Accept: */*
> 
* HTTP 1.0, assume close after body
< HTTP/1.0 503 Service Unavailable
< Cache-Control: no-cache
< Connection: close
< Content-Type: text/html
< 
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
* Closing connection 0

Thanks

ciprian.craciun · October 14, 2021, 5:10pm

Based on the curl output I have the feeling that the request is not reaching that HAProxy instance (or frontend).

To make sure you are reaching it, try to remove the if is_root ACL after the redirect so that it always redirects. Thus you can make sure you’ve reached the right frontend.

Topic		Replies	Views
HAProxt 1.8 and ADFS Redirect different domain Help!	0	474	February 23, 2020
Secure ADFS (disallow anything other than redirect) Configuration Samples	0	364	February 12, 2023
Pass src ip with HAProxy and MS ADFS Help!	9	2653	January 9, 2020
HAProxy 1.8.14 and ADFS 4.0 Help!	15	6454	October 7, 2019
ADFS http-check Help!	7	5879	August 12, 2020

URL redirect HAproxy

Related topics