ssl & default_backend
I'm try to use haproxy for balancing Citrix. I prove with: acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es use_backend CitrixSF-SSL if citrixsf use_backend SevidoresWeblogic-12c-Balanceador-SSL default_backend CitrixSF-SSL The goal is Wpx witch can't use sni are redirected to CitrixSF-SSL. I try commenting acl req_ssl_sni (right now, I have no Wpx to probe) but I recive. Error-404 Not Found. Why? Thank in advance. -- *Antonio Trujillo Carmona* *Técnico de redes y sistemas.* *Subdirección de Tecnologías de la Información y Comunicaciones* Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía _antonio.trujillo.sspa@juntadeandalucia.es_ Tel. +34 670947670 747670)
Re: ssl & default_backend
El 30/03/17 a las 10:51:58, Antonio Trujillo Carmona escribió: I'm try to use haproxy for balancing Citrix. I prove with: acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es use_backend CitrixSF-SSL if citrixsf use_backend SevidoresWeblogic-12c-Balanceador-SSL default_backend CitrixSF-SSL The goal is Wpx witch can't use sni are redirected to CitrixSF-SSL. I try commenting acl req_ssl_sni (right now, I have no Wpx to probe) but I recive. Error-404 Not Found. Why? Thank in advance. -- *Antonio Trujillo Carmona* *Técnico de redes y sistemas.* *Subdirección de Tecnologías de la Información y Comunicaciones* Servicio Andaluz de Salud. Consejería de Salud de la Junta de Andalucía _antonio.trujillo.s...@juntadeandalucia.es [1]_ Tel. +34 670947670 747670) The issue of get diferent result in be redirected from a use_backend or from default_backend occurs in all equipmen, Windows XP,7 or even in linux. I can't understand it Links: -- [1] mailto:_antonio.trujillo.s...@juntadeandalucia.es
Re: ssl & default_backend
Hello Antonio, Am 31.03.2017 um 19:36 schrieb Antonio Trujillo Carmona: El 30/03/17 a las 10:51:58, Antonio Trujillo Carmona escribió: I'm try to use haproxy for balancing Citrix. I prove with: acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es use_backend CitrixSF-SSL if citrixsf use_backend SevidoresWeblogic-12c-Balanceador-SSL default_backend CitrixSF-SSL The goal is Wpx witch can't use sni are redirected to CitrixSF-SSL. You did not tell us what Wpx is. We also don't know your complete configuration. Please post the complete configuration and the output of haproxy -vv. I try commenting acl req_ssl_sni (right now, I have no Wpx to probe) but I recive. Error-404 Not Found. With that statement I don't know which of the above lines you commented. Can you explain? Haproxy never generates a "404 Not found message", this comes from one of your backends. The issue of get diferent result in be redirected from a use_backend or from default_backend occurs in all equipmen, Windows XP,7 or even in linux. I can't understand it I don't understand what you are saying. I suggest you explain in a few sentences what you expect from haproxy, and then, explain what the actual result is. Lukas
Re: ssl & default_backend
El 31/03/17 a las 20:26, Lukas Tribus escribió:
> Hello Antonio,
>
>
> Am 31.03.2017 um 19:36 schrieb Antonio Trujillo Carmona:
>> El 30/03/17 a las 10:51:58, Antonio Trujillo Carmona escribió:
>>
>>> I'm try to use haproxy for balancing Citrix.
>>>
>>> I prove with:
>>>
>>> acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es
>>> acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es
>>>
>>> use_backend CitrixSF-SSL if citrixsf
>>> use_backend SevidoresWeblogic-12c-Balanceador-SSL
>>> default_backend CitrixSF-SSL
>>>
>>> The goal is Wpx witch can't use sni are redirected to CitrixSF-SSL.
>
> You did not tell us what Wpx is. We also don't know your complete
> configuration.
>
> Please post the complete configuration and the output of haproxy -vv.
>
>
>
>>>
>>> I try commenting acl req_ssl_sni (right now, I have no Wpx to probe)
>>> but
>>> I recive. Error-404 Not Found.
>
> With that statement I don't know which of the above lines you
> commented. Can
> you explain?
>
> Haproxy never generates a "404 Not found message", this comes from one
> of your
> backends.
>
>
>
>>
>> The issue of get diferent result in be redirected from a use_backend or
>> from default_backend occurs in all equipmen, Windows XP,7 or even in
>> linux.
>> I can't understand it
>
> I don't understand what you are saying. I suggest you explain in a few
> sentences
> what you expect from haproxy, and then, explain what the actual result
> is.
>
>
>
> Lukas
>
It's well documented that Windows XP with Internet Explorer don't
support sni, so I try to redirect call through "default_backend", but I
got ERROR-404, it work fine with all other combination of OS/surfer.
If I (only for test purpose) comment the four line with "ssiiprovincial"
(witch mean all the traffic must be redirected through default_backend)
it don't work with any OS/surfer.
# haproxy -vv
HA-Proxy version 1.5.18 2016/05/10
Copyright 2000-2016 Willy Tarreau
Build options :
TARGET = linux2628
CPU = generic
CC = gcc
CFLAGS = -O2 -g -fno-strict-aliasing -DTCP_USER_TIMEOUT=18
OPTIONS = USE_LINUX_TPROXY=1 USE_ZLIB=1 USE_REGPARM=1 USE_OPENSSL=1
USE_PCRE=1
Default settings :
maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 200
Encrypted password support via crypt(3): yes
Built with zlib version : 1.2.7
Compression algorithms supported : identity, deflate, gzip
Built with OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
Running on OpenSSL version : OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports prefer-server-ciphers : yes
Built with PCRE version : 8.32 2012-11-30
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Built with transparent proxy support using: IP_TRANSPARENT
IPV6_TRANSPARENT IP_FREEBIND
Available polling systems :
epoll : pref=300, test result OK
poll : pref=200, test result OK
select : pref=150, test result OK
Total: 3 (3 usable), will use epoll.
This is my configuration file:
#
# Fichero configuracion del HAPROXY
#
global
#Este log es especifico para sistemas basados en RED HAT
log 127.0.0.1 local2 debug
chroot /var/lib/haproxy
user haproxy
group haproxy
daemon
node BALANCEADOR-PRINCIPAL
#para sincronizar las tablas de sesión
peers pares
#disable
peer gr43stemis01 10.107.20.7:1024
peer gr43stemis02 10.107.20.8:1024
defaults
log global
modehttp
option dontlognull
option httpchk
retries 3
option redispatch
maxconn 5000
timeout connect 5s
timeout client 15min
timeout server 15s
frontend Estadisticas#
bind *:80
option httplog
mode http
stats show-node
stats enable
# Opcion para redirigir las peticiones que entran por http a https
# solo se puede poner en este frontend
redirect scheme https if !{ ssl_fc }
frontend Aplicaciones
bind *:443
mode tcp
log global
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
# Parametros para utilizar SNI (Server Name Indication)
acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es
acl citrixsf req_ssl_sni -i ssiiprovincial.gra.sas.junta-andalucia.es
acl citrixsf req_ssl_sni -i ssiiprovincial01.gra.sas.junta-andalucia.es
acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.e
Re: ssl & default_backend
Hi Antonio,
Op 3-4-2017 om 13:29 schreef Antonio Trujillo Carmona:
It's well documented that Windows XP with Internet Explorer don't
support sni, so I try to redirect call through "default_backend", but I
got ERROR-404, it work fine with all other combination of OS/surfer.
If I (only for test purpose) comment the four line with "ssiiprovincial"
(witch mean all the traffic must be redirected through default_backend)
it don't work with any OS/surfer.
frontend Aplicaciones
bind *:443
mode tcp
log global
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
# Parametros para utilizar SNI (Server Name Indication)
acl aplicaciones req_ssl_sni -i aplicaciones.gra.sas.junta-andalucia.es
acl citrixsf req_ssl_sni -i ssiiprovincial.gra.sas.junta-andalucia.es
acl citrixsf req_ssl_sni -i ssiiprovincial01.gra.sas.junta-andalucia.es
acl citrixsf req_ssl_sni -i ssiiprovincial.hvn.sas.junta-andalucia.es
acl citrixsf req_ssl_sni -i ssiiprovincial01.hvn.sas.junta-andalucia.es
use_backend CitrixSF-SSL if citrixsf
use_backend SevidoresWeblogic-12c-Balanceador-SSL
There is no acl for the backend above? so probably the default_backend
below will never be reached.
Could it be the above backend returns the 404 your seeing?
default_backend CitrixSF-SSL
Regards,
PiBa-NL
Re: ssl & default_backend
Hello, Am 03.04.2017 um 13:29 schrieb Antonio Trujillo Carmona: It's well documented that Windows XP with Internet Explorer don't support sni, so I try to redirect call through "default_backend", but I got ERROR-404, it work fine with all other combination of OS/surfer. I know that, and again, Haproxy does emit 404 errors, your backend does. So you will have to troubleshoot in your backend to find our why a 404 is emitted. I assume without SNI, your backend is unable to map the request to the correct vhosts, so you are hitting a default one and that is the reason for the 404. Regards, Lukas
Re: ssl & default_backend
Am 04.04.2017 um 19:12 schrieb Lukas Tribus: Hello, Am 03.04.2017 um 13:29 schrieb Antonio Trujillo Carmona: It's well documented that Windows XP with Internet Explorer don't support sni, so I try to redirect call through "default_backend", but I got ERROR-404, it work fine with all other combination of OS/surfer. I know that, and again, Haproxy does emit 404 errors, your backend does. Correction, this should read: Haproxy does NOT emit 404 errors. PiBa-NL is right, you are probably hitting an unexpected backend with your configuration. Lukas
Re: ssl & default_backend
El 03/04/17 a las 19:12, PiBa-NL
escribió:
Hi Antonio,
Op 3-4-2017 om 13:29 schreef Antonio Trujillo Carmona:
It's well documented that Windows XP with
Internet Explorer don't
support sni, so I try to redirect call through
"default_backend", but I
got ERROR-404, it work fine with all other combination of
OS/surfer.
If I (only for test purpose) comment the four line with
"ssiiprovincial"
(witch mean all the traffic must be redirected through
default_backend)
it don't work with any OS/surfer.
frontend Aplicaciones
bind *:443
mode tcp
log global
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
# Parametros para utilizar SNI (Server Name Indication)
acl aplicaciones req_ssl_sni -i
aplicaciones.gra.sas.junta-andalucia.es
acl citrixsf req_ssl_sni -i
ssiiprovincial.gra.sas.junta-andalucia.es
acl citrixsf req_ssl_sni -i
ssiiprovincial01.gra.sas.junta-andalucia.es
acl citrixsf req_ssl_sni -i
ssiiprovincial.hvn.sas.junta-andalucia.es
acl citrixsf req_ssl_sni -i
ssiiprovincial01.hvn.sas.junta-andalucia.es
use_backend CitrixSF-SSL if citrixsf
use_backend SevidoresWeblogic-12c-Balanceador-SSL
There is no acl for the backend above? so probably the
default_backend below will never be reached.
Could it be the above backend returns the 404 your seeing?
default_backend CitrixSF-SSL
Regards,
PiBa-NL
You are right it's a mistake of make too much probe to get session
affinity, in some one moment I eat "if aplicaciones".
Thank.
--
Antonio
Trujillo Carmona
Técnico
de redes y sistemas.
Subdirección
de Tecnologías de la Información y Comunicaciones
Servicio
Andaluz de Salud. Consejería de Salud de la Junta de
Andalucía
antonio.trujillo.s...@juntadeandalucia.es
Tel.
+34 670947670 747670)
