On Wed, May 28, 2014 at 4:02 PM, Souda Burger <soudabur...@gmail.com> wrote:
> Baptiste,
>
> Thanks for your help again. How would you recommend rewriting with HAProxy
> to do that on the fly? If you've got something that should work that's
> already written, that's easier than me trying to piece things together from
> different sources.
>
>
> On Wed, May 28, 2014 at 9:00 AM, Baptiste <bed...@gmail.com> wrote:
>>
>> On Wed, May 28, 2014 at 3:57 PM, Souda Burger <soudabur...@gmail.com>
>> wrote:
>> > Baptiste,
>> >
>> > Thanks for the heads up. Just to make sure I understand, you're saying
>> > that
>> > my "balanced" application server, in this case a tomcat pair, needs to
>> > account for the header modification and it does not appear that it is
>> > currently doing that? If so, thanks for your help, I can take that to
>> > my
>> > developers!
>> >
>> >
>> > On Wed, May 28, 2014 at 8:45 AM, Baptiste <bed...@gmail.com> wrote:
>> >>
>> >> On Wed, May 28, 2014 at 3:00 PM, Souda Burger <soudabur...@gmail.com>
>> >> wrote:
>> >> > I have an haproxy server set up with a compiled 1.5-dev25 version of
>> >> > HaProxy. I am needing SSL and since SSL isn't available in 1.4, I
>> >> > compiled
>> >> > 1.5. I have everything working, but I noticed something peculiar and
>> >> > wasn't
>> >> > sure if this was expected behavior or not. Below is my SSL
>> >> > haproxy.cfg
>> >> > file
>> >> > along with the wget that I performed against my websserver. It
>> >> > appears
>> >> > to
>> >> > initially redirect HTTPS to HTTP which then rewrites the connection
>> >> > back
>> >> > to
>> >> > HTTPS. Again, is this expected behavior or is something in my config
>> >> > incorrect? Thanks!
>> >> >
>> >> > global
>> >> > daemon
>> >> > log 127.0.0.1 local2
>> >> > maxconn 4096
>> >> > user haproxy
>> >> > group haproxy
>> >> > chroot /var/chroot/haproxy
>> >> >
>> >> > defaults
>> >> > log global
>> >> > mode http
>> >> > retries 3
>> >> > option httplog
>> >> > option dontlognull
>> >> > option redispatch
>> >> > timeout server 50000
>> >> > timeout client 50000
>> >> > timeout connect 5000
>> >> >
>> >> > frontend http_in
>> >> >
>> >> > bind *:80
>> >> > default_backend portalbackend
>> >> >
>> >> > frontend https_in
>> >> > reqadd X-Forwarded-Proto:\ https
>> >> > bind *:443 ssl crt /etc/haproxy/haproxy.crt
>> >> > default_backend portalbackend
>> >> >
>> >> > backend portalbackend
>> >> > balance leastconn
>> >> > redirect scheme https if !{ ssl_fc }
>> >> > option httpchk GET /login.jsp
>> >> > option forwardfor
>> >> > option http-server-close
>> >> > server node1 <ip1>:8080 check inter 5000
>> >> > server node2 <ip2>:8080 check inter 5000
>> >> >
>> >> >
>> >> >
>> >> > 07:53:18 ~$ wget https://haproxy --no-check-certificate
>> >> > --2014-05-28 07:59:55-- https://haproxy/
>> >> > Resolving haproxy... 192.168.8.213
>> >> > Connecting to haproxy|192.168.8.213|:443... connected.
>> >> > WARNING: cannot verify haproxy's certificate, issued by
>> >> > '/CN=www.exceliance.fr':
>> >> > Self-signed certificate encountered.
>> >> > WARNING: certificate common name 'www.exceliance.fr' doesn't
>> >> > match
>> >> > requested host name 'haproxy'.
>> >> > HTTP request sent, awaiting response... 302 Found
>> >> > Location: http://haproxy/login.jsp [following]
>> >> > --2014-05-28 07:59:55-- http://haproxy/login.jsp
>> >> > Connecting to haproxy|192.168.8.213|:80... connected.
>> >> > HTTP request sent, awaiting response... 302 Found
>> >> > Location: https://haproxy/login.jsp [following]
>> >> > --2014-05-28 07:59:55-- https://haproxy/login.jsp
>> >> > Reusing existing connection to haproxy:443.
>> >> > HTTP request sent, awaiting response... 200 OK
>> >> > Length: 7327 (7.2K) [text/html]
>> >> > Saving to: 'index.html.1'
>> >> >
>> >> >
>> >> >
>> >> > 100%[=====================================================================================================================>]
>> >> > 7,327 --.-K/s in 0s
>> >> >
>> >> > 2014-05-28 07:59:55 (81.3 MB/s) - 'index.html.1' saved [7327/7327]
>> >> >
>> >>
>> >>
>> >> Hi Souda,
>> >>
>> >> The first 302 seems to be sent by your application server which does
>> >> not seems to take into account you "X-Forwarded-Proto" header.
>> >>
>> >> Baptiste
>> >
>> >
>>
>> Yes, this is what I meant.
>> Your application should read this header and write the redirect in
>> consequence.
>> The first 302 response should be "https://haproxy/login.jsp";.
>>
>> Or you could use HAProxy to rewrite it on the fly, but it's a dirty
>> workaround.
>>
>> Baptiste
>
>
Look for rspirep in the documentation there is an example about the
Location header.
Baptiste
