Hello,
I'm a new haproxy user (using haproxy 1.5) and I'm running into a few
hitches.
I made a stats backend:
backend bk_stats
log global
mode http
stats enable
stats uri /
stats scope ft_submission
stats scope bk_postfix
And because I wanted to have users authed by ssl client certificate, I
put some http-response add-header statements into the frontend for
debugging:
frontend ft_stats
log global
mode http
bind 131.159.42.4:443 ssl crt myserver.combined.key.pem ca-file
mycafile.pem verify required no-sslv3 no-tlsv10 no-tlsv11
http-response add-header X-SSL-Client-CN %[ssl_c_s_dn(cn)]
http-response add-header X-SSL-Client-E %[ssl_c_s_dn(emailAddress)]
http-response add-header X-SSL-Client-DN %[ssl_c_s_dn]
acl cn_allowed ssl_c_s_dn(emailAddress) -f /etc/haproxy/haproxy_admins
#acl cn_allowed always_true
use_backend bk_ssl_error unless cn_allowed
default_backend bk_stats
However, these headers won't show up in the response. They also won't
show up if I put the add-header statements into the backend. It seems
that "stats enable" disregards http-response lines. There is a "stats
http-request" option but that doesn't allow adding any headers.
As a workaround I just shimmed in another frontend and backend where I
put the http-request add-header lines. [1]
I believe that this is a bug, at least in the way that nothing in the
documentation hints that "http-request add-header" in a /frontend/ will
be ignored if the /backend/ has stats enabled. In fact, the
documentation for http-response [2] states
Since these rules apply on responses, the backend
rules are applied first, followed by the frontend's rules.
So whatever response the backend delivers to the frontend should have no
influence on the headers being added by the frontend.
Can anyone more experienced with haproxy tell me if this is really a bug
or if I am just doing something wrong?
Best regards,
Luke
[1] http://ix.io/kiO
[2]
https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-http-response