Single haproxy instance running on http as well as tcp mode - nginx

I have two web applications running on a server inside two separate docker containers, one of them is running on play framework server (java), while other is running on nginx (php). I am doing ssl termination in http mode at haproxy for the play app. I want to handle the ssl termination for other app at nginx.
Is it possible to configure haproxy in such a way, so that one front-end forwards the request in tcp mode, and another in http mode. Below is how my haproxy.cfg would look like.
frontend http-in
mode http
bind *:80
redirect scheme https code 301 if !{ ssl_fc }
frontend https-in
# bind *:80
bind *:443 ssl crt /etc/ssl/certs/my_certificate_file.pem
reqadd X-Forwarded-Proto:\ https
# redirect scheme https code 301 if !{ ssl_fc }
mode http
option httpclose
option forwardfor
# Define hosts based on domain names
acl host_test_ssh hdr(host) -i playapp.domain.com
## figure out backend to use based on domainname
use_backend testssh if host_test_ssh
frontend http-in-other
bind *:80
mode tcp
option tcplog
redirect scheme https if !{ ssl_fc }
frontend https-in-estore
bind *:443
mode tcp
option tcplog
# Define hosts based on domain names
acl host_test_ssh hdr(host) -i nginxapp.domain2.com
## figure out backend to use based on domainname
use_backend other if host_test_ssh

I have not tried this but based on the documentation of 1.5 it should work. http://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-mode

Related

Configure IBM HTTP Server as reverse proxy with SSL for the proxy only

(This SO thread seems to be very similar, but does not answer my problem)
I have a loadbalancer listening on https://loadbalancerurl:443/
which terminates SSL and forwards requests to the IHS (IBM HTTP Server) on port 80.
I need to configure the IHS as a reverse proxy, such that requests get forwarded to https://targeturl:443/
browser --443--> loadbalancer --80--> IHS --443--> target
The reason we need to do this on the IHS, is because on that server we have direct and quick access to change the target url on demand, whereas the loadbalancer is out of our control.
This means, that i need to activate SSL in the IHS, but only for the outgoing requests to the targeturl, but not for the incoming requests.
Pages like
this from IBM
or this blog post
assume that SSL is incoming and outgoing.
Here is the relevant code block of the httpd.conf file:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
SSLProxyEngine on
<VirtualHost *:80>
# ServerName webserverhostname # not needed so far
SSLEnable # without this i get "SSL0263W: SSL Connection attempted when SSL did not initialize."
KeyFile store.kdb # without this i get "SSL0170E: GSK could not initialize, no keyfile specified."
SSLStashFile store.sth
ProxyPass / https://targeturl/
ProxyPassReverse / https://targeturl/
</VirtualHost>
SSLDisable
where the store.kdb contains the CA certificates of the targeturl, as indicated in the SO thread
However, the server continuously spits out the following error message:
SSL0227E: SSL Handshake Failed, Specified label could not be found in the key file, or the specified label is not a 'personal certificate' (no private key). Label='(null)'
As far as i understand, this means that IHS is failing to handle incoming https traffic, which should not happen. It should not happen because the <VirtualHost *:80> specifies port 80, and also because any traffic that reaches the IHS has the SSL terminated by the loadbalancer.
Am i misunderstanding the error message? If not, how can i get this working?
edit to show working solution:
LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
SSLProxyEngine on
<VirtualHost *:80>
# ServerName webserverhostname # not needed so far
# SSLEnable # this would activate SSL for incoming traffic
KeyFile store.kdb # this contains the CA certificates of the target server
# SSLStashFile store.sth # would only be needed for incoming SSL
ProxyPass / https://targeturl/
ProxyPassReverse / https://targeturl/
</VirtualHost>
# SSLDisable
SSLEnable should not be present in a virtual host that doesn't actually handle inbound SSL.
SSLStashFile is also not needed. It is unfortunately named.
You should deep dive on the error_log entries you get in the config without these two. There is likely an early SSL error that does not fail startup. The only necessary config even without frontend SSL is just:
SSLProxyEngine on
ProxyPass / https://example.com/
KeyFile /path/to/key.kdb

Using HaProxy on Nginx server. Not listening to port 80

Recently i setup a server & using haproxy. Everything else runs smoothly but port 80 is not connecting. Here is the haproxy config file. Esp gives problem when certbot tries to renew. What am I missing here?
frontend backend.sample.com
bind *:80
# Test URI to see if its a letsencrypt request
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl
bind 64.123.456.124:6684 ssl crt /etc/haproxy/certs/backend.sample.com.pem
default_backend webapps
backend webapps
balance roundrobin
server app01 64.123.456.124:5684
backend letsencrypt-backend
server letsencrypt 127.0.0.1:54321 ```

HTTP Proxy for Openvpn

I'm sometimes on a very restrictive network which only allows HTTP/HTTPS on Port 80/443 i have an openvpn server setup and ready and some services behind Nginx Proxy Manager. I now wand to setup an Squid HTTP Proxy for openvpn behind Nginx. I can't use sslh because HTTP is only allowed on Port 80 and HTTPS on 443. If i make a default config for Nginx:
set $forward_scheme http;
set $server "http_proxy";
set $port 3128;
listen 80;
listen [::]:80;
server_name squid.domain.tld;
access_log /data/logs/proxy-host-41_access.log proxy;
error_log /data/logs/proxy-host-41_error.log warn;
location / {
include conf.d/include/proxy.conf;
}
include /data/nginx/custom/server_proxy[.]conf;
}
For Squid i have:
auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/passwords
auth_param basic realm proxy
acl authenticated proxy_auth REQUIRED
http_access allow authenticated
http_port 3128 accel allow-direct
http_access allow all
The Proxy funktions as standalone
made from From Nginx to Squid
If i try openvpn offical andriod client i get HTTP code 400 and no LOG
I can't think of anything anymore whay it won't funktion.
It would have worked if i had compiled nginx with HTTP-CONNECT protocol support.

Redirect on HAProxy

I'm trying to replicate the following configuration made in apache in HAProxy, but so far without success.
<VirtualHost *:80>
ProxyPreserveHost On
ServerName alpha.app.int
ProxyPass / http://127.0.0.1:8080/app/
ProxyPassReverse / http://127.0.0.1:8080/app/
</VirtualHost>
What I'm trying to do is when the address 'alpha.app.int' is accessed, HAProxy automatically directs all requests for my application in JBoss that is listening on '127.0.0.1:8080/app/', but when I try to access through the url previously mentioned I end up falling on the configuration screen of JBoss and not in my application, I can only see it by accessing 'alpha.app.int/app/'. Does anyone have any suggestions on how to do this?
HAProxy Settings:
frontend app
bind *:80
mode http
default_backend frontend app
backend app
mode http
option forwardfor
server alpha 127.0.0.1:8080/app
You can try that :
frontend app
bind *:80
acl path_root path /
redirect location https://www.example.com/app/ if path_root
default_backend app
backend app
mode http
option forwardfor
server alpha 127.0.0.1:8080

HAProxy redirecting http to https (ssl)

I'm using HAProxy for load balancing and only want my site to support https. Thus, I'd like to redirect all requests on port 80 to port 443.
How would I do this?
Edit: We'd like to redirect to the same url on https, preserving query params. Thus, http://foo.com/bar would redirect to https://foo.com/bar
I found this to be the biggest help:
Use HAProxy 1.5 or newer, and simply add the following line to the frontend config:
redirect scheme https code 301 if !{ ssl_fc }
I don't have enough reputation to comment on a previous answer, so I'm posting a new answer to complement Jay Taylor's answer. Basically his answer will do the redirect, an implicit redirect though, meaning it will issue a 302 (temporary redirect), but since the question informs that the entire website will be served as https, then the appropriate redirect should be a 301 (permanent redirect).
redirect scheme https code 301 if !{ ssl_fc }
It seems a small change, but the impact might be huge depending on the website, with a permanent redirect we are informing the browser that it should no longer look for the http version from the start (avoiding future redirects) - a time saver for https sites. It also helps with SEO, but not dividing the juice of your links.
To redirect all traffic:
redirect scheme https if !{ ssl_fc }
To redirect a single url (In case of multiple frontend/backend)
redirect scheme https if { hdr(Host) -i www.mydomain.com } !{ ssl_fc }
The best guaranteed way to redirect everything http to https is:
frontend http-in
bind *:80
mode http
redirect scheme https code 301
This is a little fancier using ‘code 301′, but might as well let the client know it’s permanent. The ‘mode http’ part is not essential with default configuration, but can’t hurt. If you have mode tcp in defaults section (like I did), then it’s necessary.
According to http://parsnips.net/haproxy-http-to-https-redirect/ it should be as easy as configuring your haproxy.cfg to contain the follow.
#---------------------------------------------------------------------
# Redirect to secured
#---------------------------------------------------------------------
frontend unsecured *:80
redirect location https://foo.bar.com
#---------------------------------------------------------------------
# frontend secured
#---------------------------------------------------------------------
frontend secured *:443
mode tcp
default_backend app
#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend app
mode tcp
balance roundrobin
server app1 127.0.0.1:5001 check
server app2 127.0.0.1:5002 check
server app3 127.0.0.1:5003 check
server app4 127.0.0.1:5004 check
A slight variation of user2966600's solution...
To redirect all except a single URL (In case of multiple frontend/backend):
redirect scheme https if !{ hdr(Host) -i www.mydomain.com } !{ ssl_fc }
Like Jay Taylor said, HAProxy 1.5-dev has the redirect scheme configuration directive, which accomplishes exactly what you need.
However, if you are unable to use 1.5, and if you're up for compiling HAProxy from source, I backported the redirect scheme functionality so it works in 1.4. You can get the patch here: http://marc.info/?l=haproxy&m=138456233430692&w=2
frontend unsecured *:80
mode http
redirect location https://foo.bar.com
redirect statement is legacy
use http-request redirect instead
acl http ssl_fc,not
http-request redirect scheme https if http
In newer versions of HAProxy it is recommended to use
http-request redirect scheme https if !{ ssl_fc }
to redirect http traffic to https.
Can be done like this -
frontend http-in
bind *:80
mode http
redirect scheme https code 301
Any traffic hitting http will redirect to https
acl host-example hdr(host) -i www.example.com
# for everything not https
http-request redirect scheme https code 301 unless { ssl_fc }
# for anything matching acl
http-request redirect scheme https code 301 if host-example !{ ssl_fc }
If you want to rewrite the url, you have to change your site virtualhost adding this lines:
### Enabling mod_rewrite
Options FollowSymLinks
RewriteEngine on
### Rewrite http:// => https://
RewriteCond %{SERVER_PORT} 80$
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,NC,L]
But, if you want to redirect all your requests on the port 80 to the port 443 of the web servers behind the proxy, you can try this example conf on your haproxy.cfg:
##########
# Global #
##########
global
maxconn 100
spread-checks 50
daemon
nbproc 4
############
# Defaults #
############
defaults
maxconn 100
log global
mode http
option dontlognull
retries 3
contimeout 60000
clitimeout 60000
srvtimeout 60000
#####################
# Frontend: HTTP-IN #
#####################
frontend http-in
bind *:80
option logasap
option httplog
option httpclose
log global
default_backend sslwebserver
#########################
# Backend: SSLWEBSERVER #
#########################
backend sslwebserver
option httplog
option forwardfor
option abortonclose
log global
balance roundrobin
# Server List
server sslws01 webserver01:443 check
server sslws02 webserver02:443 check
server sslws03 webserver03:443 check
I hope this help you
Why don't you use ACL's to distinguish traffic? on top of my head:
acl go_sslwebserver path bar
use_backend sslwebserver if go_sslwebserver
This goes on top of what Matthew Brown answered.
See the ha docs , search for things like hdr_dom and below to find more ACL options. There are plenty of choices.
Add this into the HAProxy frontend config:
acl http ssl_fc,not
http-request redirect scheme https if http
HAProxy - Redirecting HTTP Requests
Simply:
frontend incoming_requsts
bind *:80
bind *:443 ssl crt *path_to_cert*.**pem**
**http-request redirect scheme https unless { ssl_fc }**
default_backend k8s_nodes

Resources