so I almost got this to work, based on the situation I am in. To
elaborate just a bit, my setup involves a shibboleth SP that I need to
authenticate my application. Since I can't set up the HA proxy node with
shibboleth SP - I had to wrap my application in the backend with apache so
I can pass REMOTE_USER to the application. the application I have is -
jupyterhub and it start with its own proxy. Long story short, here is my
current setup:
frontend
bind :80
bind :443 ssl crt /etc/haproxy/crsplab2_1.pem
stats uri /haproxy?stats
default_backend web1_cluster
option httplog
log global
#option dontlognull
log /dev/log local0 debug
mode http
option forwardfor # forward IP
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https if !{ ssl_fc }
acl host_web3 path_beg /jhub
use_backend web3_cluster if host_web3
backend
server web1.oit.uci.edu 128.110.80.5:80 check
this works for the most part. But I am confused with a problem. when I get
to my application, my backend IP address shows up in the browser URL.
for example, I see this in my browser:
http://128.110.80.5/jhub/user/itoufiqu/tree?
whereas, I was expecting that it would show the original URL, such as:
http://crsplab2.domain.com/jhub/user/itoufiqu/tree? ( where
crsplab2.domain.com is the URL to get HAproxy )
While I am no expert in HA proxy world, I think this might due to the fact
that my backend does not have SSL and HAproxy frontend does have SSL. At
this point, I would avoid that IP address showing up in the browser. what
is the best way to accomplish this?
thanks for your continues help!
On Tue, Oct 23, 2018 at 8:35 AM Aleksandar Lazic <[email protected]> wrote:
> Hi.
>
> Am 23.10.2018 um 09:04 schrieb Imam Toufique:
> > I am looking for some help on how to write the following apache
> proxypass rules
> > in HAproxy. Not to mention I am at a bit of loss with my first try :-)
> . Here
> > are my current proxypass rules:
> >
> > ProxyPass http://10.1.100.156:8000/jhub
> > ProxyPassReverse http://10.1.100.156:8000/jhub
>
> Well ProxyPass and ProxyPassReverse do a lot of thinks not just rewrites,
> as
> mentioned in the doc
>
> https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass
> https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypassreverse
>
>
> > <LocationMatch
> "/jhub/(user/[^/]*)/(api/kernels/[^/]+/channels/websocket)(.*)">
> > ProxyPassMatch ws://10.1.100.156:8000/jhub/$1/$2$3
> > ProxyPassReverse ws://10.1.100.156:8000/jhub/$1/$2$3
> > </LocationMatch>
> >
> > As I am not well versed in the massive HAproxy configuration guide, if
> any of
> > you can give me a hand with this, I would very much appreciate it.
>
> I'm also not "that" expert but I would try the following, untested.
>
> ###
> defaults
> mode http
> log global
>
> #... maybe some other settings
> timeout tunnel 10h
>
> frontend https_001
>
> #... maybe some other settings
>
> acl websocket path_beg /jhub
>
> #... maybe some other acls
>
> use_backend websocket_001 if websocket
>
> backend websocket_001
>
> reqrep "^([^\ :]*)
> /jhub/(user/[^/]*)/(api/kernels/[^/]+/channels/websocket)(.*)"
> "/jhub/\1/\2\3"
>
> # You will need to replace the first column with the response from the
> # backend response
> # rspirep "^Location:
> /jhub/(user/[^/]*)/(api/kernels/[^/]+/channels/websocket)(.*)" "Location:
> /jhub/\1/\2\3"
> # OR
> # http-response replace-header Location
> "/jhub/(user/[^/]*)/(api/kernels/[^/]+/channels/websocket)(.*)"
> "/jhub/\1/\2\3"
>
> # add some checks
>
> server ws_01 10.1.100.156:8000 check
> ###
>
> Here are some links which may help you also.
>
> https://www.haproxy.com/blog/websockets-load-balancing-with-haproxy/
> https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-reqirep
> https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-rspirep
>
> I would run haproxy in Debug mode and see how the request pass haproxy and
> adopt
> the config.
>
> It would be nice when you show us the working conf ;-)
>
> It would be nice to have a
>
> http-request replace-uri <match-regex> <replace-fmt>
>
> to replace the reqrep.
>
> > thanks
>
> Hth
> Aleks
>
>
--
Regards,
*Imam Toufique*
*213-700-5485*
