URL redirect HAproxy

Marshall · October 14, 2021, 8:39am

Hi guys,
I need to use ADFS with HAPROXY.
At the moment the only problem I have is that I can’t make the redirect from https://adfsstg.xxx.com to https://adfsstg.xxx.com/adfs/ls/IdpInitiatedSignOn.aspx
this is my frontend:

frontend adfsstg
  bind 10.129.10.3:443 ssl crt /etc/ssl/certs/wildcard.pem
  mode http
  redirect scheme https if !{ ssl_fc }
  acl is_root path -i  /
  redirect code 301 location adfsstg.xxx.com/adfs/ls/IdpInitiatedSignOn.aspx  if is_root
  use_backend adfsstg

this is my backend:

backend adfsstg
  balance roundrobin
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  mode http
  http-request deny if !{ src -f /etc/haproxy/allowedoffices.acl }
  server adfsstg.xxx.com 10.129.9.144:443 check ssl verify none

can you help me please?
Thank you so much

ciprian.craciun · October 14, 2021, 11:53am

What is the actual problem? Could you include the output of curl -v https://asdsstg.xxx.com?

My hunch is that it redirects to https://asdsstg.xxx.com/asdfsstg.xxx.com/adfs/... (i.e. it doubles the domain.)

To fix this just use the path in for redirect, as in redirect code 301 location /adfs/ls/..., or use the full URL as in https://....

Marshall · October 14, 2021, 1:01pm

Hi ciprian,
thanks for your reply!
this is the output of curl

curl -v https://adfsstg.xxx.com
* About to connect() to adfsstg.xxx.com port 443 (#0)
*   Trying 185.44.23.241...
* Connected to adfsstg.xxx.com (185.44.23.241) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
* 	subject: CN=www.xxx.com,OU=Multi-Domain SSL,O=xxx,STREET=x xx,L=xxx,ST=xxxlCode=xx,C=xx
* 	start date: Sep 05 00:00:00 2019 GMT
* 	expire date: Dec 02 23:59:59 2021 GMT
* 	common name: www.xxx.com
* 	issuer: CN=Sectigo RSA Organization Validation Secure Server CA,O=Sectigo Limited,L=Salford,ST=Greater Manchester,C=GB
> GET / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: adfsstg.xxx.com
> Accept: */*
> 
* HTTP 1.0, assume close after body
< HTTP/1.0 503 Service Unavailable
< Cache-Control: no-cache
< Connection: close
< Content-Type: text/html
< 
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>
* Closing connection 0

Thanks

ciprian.craciun · October 14, 2021, 5:10pm

Based on the curl output I have the feeling that the request is not reaching that HAProxy instance (or frontend).

To make sure you are reaching it, try to remove the if is_root ACL after the redirect so that it always redirects. Thus you can make sure you’ve reached the right frontend.

Topic		Replies	Views
Cannot get "redirect scheme" to work in backend section Help!	7	2217	March 13, 2017
Haproxy apache double 301 redirect - Solved Help!	1	1871	May 21, 2018
Haproxy redirections with ssl Help!	1	800	April 26, 2017
URL redirection issue Help!	2	885	May 20, 2022
SSL Redirect - Chained Proxies via Proxy Protocol Help!	2	401	July 3, 2020

URL redirect HAproxy

Related Topics