ssl & default_backend
I'm try to use haproxy for balancing Citrix. I prove with: acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es use_backend CitrixSF-SSL if citrixsf use_backend SevidoresWeblogic-12c-Balanceador-SSL default_backend CitrixSF-SSL The goal is Wpx witch can't use sni are redirected to CitrixSF-SSL. I try commenting acl req_ssl_sni (right now, I have no Wpx to probe) but I recive. Error-404 Not Found. Why? Thank in advance. -- *Antonio Trujillo Carmona* *Técnico de redes y sistemas.* *Subdirección de Tecnologías de la Información y Comunicaciones* Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía _antonio.trujillo.sspa@juntadeandalucia.es_ Tel. +34 670947670 747670)
Re: ssl & default_backend
El 30/03/17 a las 10:51:58, Antonio Trujillo Carmona escribió: I'm try to use haproxy for balancing Citrix. I prove with: acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es use_backend CitrixSF-SSL if citrixsf use_backend SevidoresWeblogic-12c-Balanceador-SSL default_backend CitrixSF-SSL The goal is Wpx witch can't use sni are redirected to CitrixSF-SSL. I try commenting acl req_ssl_sni (right now, I have no Wpx to probe) but I recive. Error-404 Not Found. Why? Thank in advance. -- *Antonio Trujillo Carmona* *Técnico de redes y sistemas.* *Subdirección de Tecnologías de la Información y Comunicaciones* Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía _antonio.trujillo.s...@juntadeandalucia.es [1]_ Tel. +34 670947670 747670) The issue of get diferent result in be redirected from a use_backend or from default_backend occurs in all equipmen, Windows XP,7 or even in linux. I can't understand it Links: -- [1] mailto:_antonio.trujillo.s...@juntadeandalucia.es
Re: ssl & default_backend
Hello Antonio, Am 31.03.2017 um 19:36 schrieb Antonio Trujillo Carmona: El 30/03/17 a las 10:51:58, Antonio Trujillo Carmona escribió: I'm try to use haproxy for balancing Citrix. I prove with: acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es use_backend CitrixSF-SSL if citrixsf use_backend SevidoresWeblogic-12c-Balanceador-SSL default_backend CitrixSF-SSL The goal is Wpx witch can't use sni are redirected to CitrixSF-SSL. You did not tell us what Wpx is. We also don't know your complete configuration. Please post the complete configuration and the output of haproxy -vv. I try commenting acl req_ssl_sni (right now, I have no Wpx to probe) but I recive. Error-404 Not Found. With that statement I don't know which of the above lines you commented. Can you explain? Haproxy never generates a "404 Not found message", this comes from one of your backends. The issue of get diferent result in be redirected from a use_backend or from default_backend occurs in all equipmen, Windows XP,7 or even in linux. I can't understand it I don't understand what you are saying. I suggest you explain in a few sentences what you expect from haproxy, and then, explain what the actual result is. Lukas
Re: ssl & default_backend
El 31/03/17 a las 20:26, Lukas Tribus escribió: > Hello Antonio, > > > Am 31.03.2017 um 19:36 schrieb Antonio Trujillo Carmona: >> El 30/03/17 a las 10:51:58, Antonio Trujillo Carmona escribió: >> >>> I'm try to use haproxy for balancing Citrix. >>> >>> I prove with: >>> >>> acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es >>> acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es >>> >>> use_backend CitrixSF-SSL if citrixsf >>> use_backend SevidoresWeblogic-12c-Balanceador-SSL >>> default_backend CitrixSF-SSL >>> >>> The goal is Wpx witch can't use sni are redirected to CitrixSF-SSL. > > You did not tell us what Wpx is. We also don't know your complete > configuration. > > Please post the complete configuration and the output of haproxy -vv. > > > >>> >>> I try commenting acl req_ssl_sni (right now, I have no Wpx to probe) >>> but >>> I recive. Error-404 Not Found. > > With that statement I don't know which of the above lines you > commented. Can > you explain? > > Haproxy never generates a "404 Not found message", this comes from one > of your > backends. > > > >> >> The issue of get diferent result in be redirected from a use_backend or >> from default_backend occurs in all equipmen, Windows XP,7 or even in >> linux. >> I can't understand it > > I don't understand what you are saying. I suggest you explain in a few > sentences > what you expect from haproxy, and then, explain what the actual result > is. > > > > Lukas > It's well documented that Windows XP with Internet Explorer don't support sni, so I try to redirect call through "default_backend", but I got ERROR-404, it work fine with all other combination of OS/surfer. If I (only for test purpose) comment the four line with "ssiiprovincial" (witch mean all the traffic must be redirected through default_backend) it don't work with any OS/surfer. # haproxy -vv HA-Proxy version 1.5.18 2016/05/10 Copyright 2000-2016 Willy Tarreau Build options : TARGET = linux2628 CPU = generic CC = gcc CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18 OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1 USE_PCRE=1 Default settings : maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200 Encrypted password support via crypt(3): yes Built with zlib version : 1.2.7 Compression algorithms supported : identity, deflate, gzip Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL library supports TLS extensions : yes OpenSSL library supports SNI : yes OpenSSL library supports prefer-server-ciphers : yes Built with PCRE version : 8.32 2012-11-30 PCRE library supports JIT : no (USE_PCRE_JIT not set) Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT IP_FREEBIND Available polling systems : epoll : pref=300, test result OK poll : pref=200, test result OK select : pref=150, test result OK Total: 3 (3 usable), will use epoll. This is my configuration file: # # Fichero configuracion del HAPROXY # global #Este log es especifico para sistemas basados en RED HAT log 127.0.0.1 local2 debug chroot /var/lib/haproxy user haproxy group haproxy daemon node BALANCEADOR-PRINCIPAL #para sincronizar las tablas de sesión peers pares #disable peer gr43stemis01 10.107.20.7:1024 peer gr43stemis02 10.107.20.8:1024 defaults log global modehttp option dontlognull option httpchk retries 3 option redispatch maxconn 5000 timeout connect 5s timeout client 15min timeout server 15s frontend Estadisticas# bind *:80 option httplog mode http stats show-node stats enable # Opcion para redirigir las peticiones que entran por http a https # solo se puede poner en este frontend redirect scheme https if !{ ssl_fc } frontend Aplicaciones bind *:443 mode tcp log global tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } # Parametros para utilizar SNI (Server Name Indication) acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial01.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.e
Re: ssl & default_backend
Hi Antonio, Op 3-4-2017 om 13:29 schreef Antonio Trujillo Carmona: It's well documented that Windows XP with Internet Explorer don't support sni, so I try to redirect call through "default_backend", but I got ERROR-404, it work fine with all other combination of OS/surfer. If I (only for test purpose) comment the four line with "ssiiprovincial" (witch mean all the traffic must be redirected through default_backend) it don't work with any OS/surfer. frontend Aplicaciones bind *:443 mode tcp log global tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } # Parametros para utilizar SNI (Server Name Indication) acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial01.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial01.hvn.sas.junta-andalucia.es use_backend CitrixSF-SSL if citrixsf use_backend SevidoresWeblogic-12c-Balanceador-SSL There is no acl for the backend above? so probably the default_backend below will never be reached. Could it be the above backend returns the 404 your seeing? default_backend CitrixSF-SSL Regards, PiBa-NL
Re: ssl & default_backend
Hello, Am 03.04.2017 um 13:29 schrieb Antonio Trujillo Carmona: It's well documented that Windows XP with Internet Explorer don't support sni, so I try to redirect call through "default_backend", but I got ERROR-404, it work fine with all other combination of OS/surfer. I know that, and again, Haproxy does emit 404 errors, your backend does. So you will have to troubleshoot in your backend to find our why a 404 is emitted. I assume without SNI, your backend is unable to map the request to the correct vhosts, so you are hitting a default one and that is the reason for the 404. Regards, Lukas
Re: ssl & default_backend
Am 04.04.2017 um 19:12 schrieb Lukas Tribus: Hello, Am 03.04.2017 um 13:29 schrieb Antonio Trujillo Carmona: It's well documented that Windows XP with Internet Explorer don't support sni, so I try to redirect call through "default_backend", but I got ERROR-404, it work fine with all other combination of OS/surfer. I know that, and again, Haproxy does emit 404 errors, your backend does. Correction, this should read: Haproxy does NOT emit 404 errors. PiBa-NL is right, you are probably hitting an unexpected backend with your configuration. Lukas
Re: ssl & default_backend
El 03/04/17 a las 19:12, PiBa-NL escribió: Hi Antonio, Op 3-4-2017 om 13:29 schreef Antonio Trujillo Carmona: It's well documented that Windows XP with Internet Explorer don't support sni, so I try to redirect call through "default_backend", but I got ERROR-404, it work fine with all other combination of OS/surfer. If I (only for test purpose) comment the four line with "ssiiprovincial" (witch mean all the traffic must be redirected through default_backend) it don't work with any OS/surfer. frontend Aplicaciones bind *:443 mode tcp log global tcp-request inspect-delay 5s tcp-request content accept if { req_ssl_hello_type 1 } # Parametros para utilizar SNI (Server Name Indication) acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial01.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial01.hvn.sas.junta-andalucia.es use_backend CitrixSF-SSL if citrixsf use_backend SevidoresWeblogic-12c-Balanceador-SSL There is no acl for the backend above? so probably the default_backend below will never be reached. Could it be the above backend returns the 404 your seeing? default_backend CitrixSF-SSL Regards, PiBa-NL You are right it's a mistake of make too much probe to get session affinity, in some one moment I eat "if aplicaciones". Thank. -- Antonio Trujillo Carmona Técnico de redes y sistemas. Subdirección de Tecnologías de la Información y Comunicaciones Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía antonio.trujillo.s...@juntadeandalucia.es Tel. +34 670947670 747670)