On Thu, 25 Oct 2018 6:13 pm Imam Toufique <techie...@gmail.com> wrote:
> so I almost got this to work, based on the situation I am in. To
> elaborate just a bit, my setup involves a shibboleth SP that I need to
> authenticate my application. Since I can't set up the HA proxy node with
> shibboleth SP - I had to wrap my application in the backend with apache so
> I can pass REMOTE_USER to the application. the application I have is -
> jupyterhub and it start with its own proxy. Long story short, here is my
> current setup:
>
> frontend
> bind :80
> bind :443 ssl crt /etc/haproxy/crsplab2_1.pem
> stats uri /haproxy?stats
> default_backend web1_cluster
> option httplog
> log global
> #option dontlognull
> log /dev/log local0 debug
> mode http
> option forwardfor # forward IP
> http-request set-header X-Forwarded-Port %[dst_port]
> http-request add-header X-Forwarded-Proto https if { ssl_fc }
> redirect scheme https if !{ ssl_fc }
>
> acl host_web3 path_beg /jhub
> use_backend web3_cluster if host_web3
>
> backend
> server web1.oit.uci.edu 128.110.80.5:80 check
>
> this works for the most part. But I am confused with a problem. when I
> get to my application, my backend IP address shows up in the browser URL.
>
> for example, I see this in my browser:
>
> http://128.110.80.5/jhub/user/itoufiqu/tree?
>
> whereas, I was expecting that it would show the original URL, such as:
>
> http://crsplab2.domain.com/jhub/user/itoufiqu/tree? ( where
> crsplab2.domain.com is the URL to get HAproxy )
>
You need to tell your backend app that it runs behind reverse proxy with
ssl termination and that it's domain/url is https://crsplab2.domain.com
<http://crsplab2.domain.com/jhub/user/itoufiqu/tree>. How you do that
depends on the backend app you are using but most of them like apache2,
tomcat etc. have specific configs that you can find in their documentation.
For example if your backend is apache2 I bet you don't have the DomainName
set in the config in which case it defaults to the host ip address.
> While I am no expert in HA proxy world, I think this might due to the fact
> that my backend does not have SSL and HAproxy frontend does have SSL. At
> this point, I would avoid that IP address showing up in the browser. what
> is the best way to accomplish this?
>
> thanks for your continues help!
>
>
>
>
>
>
> On Tue, Oct 23, 2018 at 8:35 AM Aleksandar Lazic <al-hapr...@none.at>
> wrote:
>
>> Hi.
>>
>> Am 23.10.2018 um 09:04 schrieb Imam Toufique:
>> > I am looking for some help on how to write the following apache
>> proxypass rules
>> > in HAproxy. Not to mention I am at a bit of loss with my first try :-)
>> . Here
>> > are my current proxypass rules:
>> >
>> > ProxyPass http://10.1.100.156:8000/jhub
>> > ProxyPassReverse http://10.1.100.156:8000/jhub
>>
>> Well ProxyPass and ProxyPassReverse do a lot of thinks not just rewrites,
>> as
>> mentioned in the doc
>>
>> https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass
>> https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypassreverse
>>
>>
>> > <LocationMatch
>> "/jhub/(user/[^/]*)/(api/kernels/[^/]+/channels/websocket)(.*)">
>> > ProxyPassMatch ws://10.1.100.156:8000/jhub/$1/$2$3
>> > ProxyPassReverse ws://10.1.100.156:8000/jhub/$1/$2$3
>> > </LocationMatch>
>> >
>> > As I am not well versed in the massive HAproxy configuration guide, if
>> any of
>> > you can give me a hand with this, I would very much appreciate it.
>>
>> I'm also not "that" expert but I would try the following, untested.
>>
>> ###
>> defaults
>> mode http
>> log global
>>
>> #... maybe some other settings
>> timeout tunnel 10h
>>
>> frontend https_001
>>
>> #... maybe some other settings
>>
>> acl websocket path_beg /jhub
>>
>> #... maybe some other acls
>>
>> use_backend websocket_001 if websocket
>>
>> backend websocket_001
>>
>> reqrep "^([^\ :]*)
>> /jhub/(user/[^/]*)/(api/kernels/[^/]+/channels/websocket)(.*)"
>> "/jhub/\1/\2\3"
>>
>> # You will need to replace the first column with the response from the
>> # backend response
>> # rspirep "^Location:
>> /jhub/(user/[^/]*)/(api/kernels/[^/]+/channels/websocket)(.*)" "Location:
>> /jhub/\1/\2\3"
>> # OR
>> # http-response replace-header Location
>> "/jhub/(user/[^/]*)/(api/kernels/[^/]+/channels/websocket)(.*)"
>> "/jhub/\1/\2\3"
>>
>> # add some checks
>>
>> server ws_01 10.1.100.156:8000 check
>> ###
>>
>> Here are some links which may help you also.
>>
>> https://www.haproxy.com/blog/websockets-load-balancing-with-haproxy/
>> https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-reqirep
>> https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-rspirep
>>
>> I would run haproxy in Debug mode and see how the request pass haproxy
>> and adopt
>> the config.
>>
>> It would be nice when you show us the working conf ;-)
>>
>> It would be nice to have a
>>
>> http-request replace-uri <match-regex> <replace-fmt>
>>
>> to replace the reqrep.
>>
>> > thanks
>>
>> Hth
>> Aleks
>>
>>
>
> --
> Regards,
> *Imam Toufique*
> *213-700-5485*
>
