I'm trying to replicate the following configuration made in apache in HAProxy, but so far without success.
<VirtualHost *:80>
ProxyPreserveHost On
ServerName alpha.app.int
ProxyPass / http://127.0.0.1:8080/app/
ProxyPassReverse / http://127.0.0.1:8080/app/
</VirtualHost>
What I'm trying to do is when the address 'alpha.app.int' is accessed, HAProxy automatically directs all requests for my application in JBoss that is listening on '127.0.0.1:8080/app/', but when I try to access through the url previously mentioned I end up falling on the configuration screen of JBoss and not in my application, I can only see it by accessing 'alpha.app.int/app/'. Does anyone have any suggestions on how to do this?
HAProxy Settings:
frontend app
bind *:80
mode http
default_backend frontend app
backend app
mode http
option forwardfor
server alpha 127.0.0.1:8080/app
You can try that :
frontend app
bind *:80
acl path_root path /
redirect location https://www.example.com/app/ if path_root
default_backend app
backend app
mode http
option forwardfor
server alpha 127.0.0.1:8080
Related
(This SO thread seems to be very similar, but does not answer my problem)
I have a loadbalancer listening on https://loadbalancerurl:443/
which terminates SSL and forwards requests to the IHS (IBM HTTP Server) on port 80.
I need to configure the IHS as a reverse proxy, such that requests get forwarded to https://targeturl:443/
browser --443--> loadbalancer --80--> IHS --443--> target
The reason we need to do this on the IHS, is because on that server we have direct and quick access to change the target url on demand, whereas the loadbalancer is out of our control.
This means, that i need to activate SSL in the IHS, but only for the outgoing requests to the targeturl, but not for the incoming requests.
Pages like
this from IBM
or this blog post
assume that SSL is incoming and outgoing.
Here is the relevant code block of the httpd.conf file:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
SSLProxyEngine on
<VirtualHost *:80>
# ServerName webserverhostname # not needed so far
SSLEnable # without this i get "SSL0263W: SSL Connection attempted when SSL did not initialize."
KeyFile store.kdb # without this i get "SSL0170E: GSK could not initialize, no keyfile specified."
SSLStashFile store.sth
ProxyPass / https://targeturl/
ProxyPassReverse / https://targeturl/
</VirtualHost>
SSLDisable
where the store.kdb contains the CA certificates of the targeturl, as indicated in the SO thread
However, the server continuously spits out the following error message:
SSL0227E: SSL Handshake Failed, Specified label could not be found in the key file, or the specified label is not a 'personal certificate' (no private key). Label='(null)'
As far as i understand, this means that IHS is failing to handle incoming https traffic, which should not happen. It should not happen because the <VirtualHost *:80> specifies port 80, and also because any traffic that reaches the IHS has the SSL terminated by the loadbalancer.
Am i misunderstanding the error message? If not, how can i get this working?
edit to show working solution:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
SSLProxyEngine on
<VirtualHost *:80>
# ServerName webserverhostname # not needed so far
# SSLEnable # this would activate SSL for incoming traffic
KeyFile store.kdb # this contains the CA certificates of the target server
# SSLStashFile store.sth # would only be needed for incoming SSL
ProxyPass / https://targeturl/
ProxyPassReverse / https://targeturl/
</VirtualHost>
# SSLDisable
SSLEnable should not be present in a virtual host that doesn't actually handle inbound SSL.
SSLStashFile is also not needed. It is unfortunately named.
You should deep dive on the error_log entries you get in the config without these two. There is likely an early SSL error that does not fail startup. The only necessary config even without frontend SSL is just:
SSLProxyEngine on
ProxyPass / https://example.com/
KeyFile /path/to/key.kdb
For one of my customer projects, I have a domain name abc.my-app.com. My server public IP is x.y.z.a .
I have developed a Spring boot based application. In the application, I have configured automatic redirect from http port 8088 to https 8443.
The application is accessible as https://x.y.z.a:8443/ without issues.
The application is also redirected to https when accessed as http://x.y.z.a:8088
in the browser.
Refer https://drissamri.be/blog/java/enable-https-in-spring-boot/ on how I have configured this.
I also have setup apache 2.4.18 version on my server. I have configured virtual hosts to be able to redirect to https when my application is accessed from browser as https://abc.my-app.com to https://abc.my-app.com:8443.
But, if user accesses http://abc.my-app.com (without https), the apache does not redirect to my application on https.
How do I enable Apache to redirect from http://abc.my-app.com to https://abc.my-app.com?
My Virtual host configuration is below:
<VirtualHost *:80 *:8080 *:443>
ServerAdmin webmaster#xyzc
DocumentRoot /var/www/
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/apache2/ssl/ca.crt
SSLCertificateKeyFile /etc/apache2/ssl/ca.key
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName Off
ProxyPreserveHost On
# Servers to proxy the connection, or
# List of application servers Usage
ProxyPass / https://x.y.z.a:8443/
ProxyPassReverse / https://x.y.z.a:8443/
ServerName ip-x-y-z-a
</VirtualHost>`
I finally got it working. Not sure though this is the right way.
In Spring boot application, I configured redirect from port 80 to port 443.
Apache2 redirects from 443 to my application running on port 8443.
I deployed my first meteor app on a digital-ocean droplet using mup. So it's there but I can't figure out what I still have to setup to actually view my app. So when I go to www.example.com I should see it but all I see is an apache page.
When you start a Meteor app, you can specify the port for it to listen on using the --port argument. For it to be available from at you domain name specify port 80. Though if you have Apache listening on that port already it will fail to bind to it. Uninstall or stop Apache, and restart your Meteor app.
If you are using Apache to serve other content and can not stop it, you'll need to have your Meteor run on a different port with an Apache ProxyPass. First enable mod_proxy and mod_proxy_http
sudo a2enmod proxy proxy_http
Then create a new VirtualHost for the Meteor app that proxies request to the port you have decided to have it listen on. It will look something like:
<VirtualHost *:80>
ServerName www.example.com
ProxyPass / http://localhost:3000/
ProxyPassReverse / http://localhost:3000/
ServerAdmin webmaster#localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>
See this article for all the details.
I have two web applications running on a server inside two separate docker containers, one of them is running on play framework server (java), while other is running on nginx (php). I am doing ssl termination in http mode at haproxy for the play app. I want to handle the ssl termination for other app at nginx.
Is it possible to configure haproxy in such a way, so that one front-end forwards the request in tcp mode, and another in http mode. Below is how my haproxy.cfg would look like.
frontend http-in
mode http
bind *:80
redirect scheme https code 301 if !{ ssl_fc }
frontend https-in
# bind *:80
bind *:443 ssl crt /etc/ssl/certs/my_certificate_file.pem
reqadd X-Forwarded-Proto:\ https
# redirect scheme https code 301 if !{ ssl_fc }
mode http
option httpclose
option forwardfor
# Define hosts based on domain names
acl host_test_ssh hdr(host) -i playapp.domain.com
## figure out backend to use based on domainname
use_backend testssh if host_test_ssh
frontend http-in-other
bind *:80
mode tcp
option tcplog
redirect scheme https if !{ ssl_fc }
frontend https-in-estore
bind *:443
mode tcp
option tcplog
# Define hosts based on domain names
acl host_test_ssh hdr(host) -i nginxapp.domain2.com
## figure out backend to use based on domainname
use_backend other if host_test_ssh
I have not tried this but based on the documentation of 1.5 it should work. http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-mode
How does a web server recognize which URL to serve when there are multiple web sites (hostnames) associated with the same IP address?
With the Apache web server, a set of virtualhosts is defined that contain parameters to match a request to a directory. Using a basic, default set up for an Ubuntu web server, you would have a file in the /etc/apache2/sites-enabled directory like this:
<VirtualHost>
ServerName example.com
DocumentRoot /var/www/example.com/httpdocs
</VirtualHost>
This tells apache that all requests to example.com that arrive at this machine should be routed to the /var/www/example.com/httpdocs folder. Another entry to example.org could point it to a different folder.
Also relevant is the /etc/hosts file and the apache a2ensite command.
This is done in apache by using NameVirtualHost
You first declare what IP and port in httpd.conf to use like:
NameVirtualHost 127.0.0.1:80
Then in your virtual host block, you do:
<VirtualHost 127.0.0.1:80>
ServerName your_domain
DocumentRoot path_to_your_app
....
</VirtualHost>
This will allow you to have multiple hosts on one IP. But be warned that if you access the IP directly, it will direct the request to the first virtual host.
Through the use of virtual hosts.
This is an example configuration from nginx
http {
index index.html;
server {
server_name www.domain1.com;
access_log logs/domain1.access.log main;
root /var/www/domain1.com/htdocs;
}
server {
server_name www.domain2.com;
access_log logs/domain2.access.log main;
root /var/www/domain2.com/htdocs;
}
}
Essentially, when a user requests a resource the server checks the host field of the request and responds accordingly.
HTTP 1.1 defines a header called the "Host" header.
Before Apache or any other server sees the request, the client browser creates the http 1.1 request headers and sends the request to the server you are asking for your browser to contact.
Once the request hits apache the server looks at the Host header portion of the HTTP request headers. You can observe this by using wireshark, liveHttpHeaders, HTTPfox or whatever http dissecting/packet capturing tool you like. The host header in HTTP 1.1 (Host: header is not defined for HTTP 1.0 or 0.9) is formatted as follows:
Host: www.example.com\r\n
When apache looks at this header it parses it and goes through the existing VirtualHosts table that is used for mapping matching host headers to directories or actions defined.
That is to say if you had a NameVirtualHost for www.example.com that points to /some/path/example.com/
NameVirtualhost stuff here
<VirtualHost 127.0.0.1:80>
ServerName www.example.com
DocumentRoot /some/path/example.com
....
</VirtualHost>
your apache would take the following request:
GET /index.html HTTP/1.1\r\n <-- version is a key part
Connection: close\r\n
Host: www.example.com\r\n <-- key part
Accept: blah\r\n
Another: blah\r\n
read the wiki page for more on header format.
Apache would see that the host header contains www.example.com and serve up the file
/some/path/example.com/index.html because that directory and filename matches the requested resource and it is the directory that is to be used for serving requests with the host header containing www.example.com.
That is how it works.
Depends on the type of server. Apache uses a .htaccess file and you could also configure virtual hosts. If you're trying to do something specific, you may want to edit your question to include exactly what you're looking for and what software you're using to host.