On Thu, Oct 25, 2018 at 6:31 PM Igor Cicimov <[email protected]> wrote:
> > > On Thu, 25 Oct 2018 6:13 pm Imam Toufique <[email protected]> wrote: > >> so I almost got this to work, based on the situation I am in. To >> elaborate just a bit, my setup involves a shibboleth SP that I need to >> authenticate my application. Since I can't set up the HA proxy node with >> shibboleth SP - I had to wrap my application in the backend with apache so >> I can pass REMOTE_USER to the application. the application I have is - >> jupyterhub and it start with its own proxy. Long story short, here is my >> current setup: >> >> frontend >> bind :80 >> bind :443 ssl crt /etc/haproxy/crsplab2_1.pem >> stats uri /haproxy?stats >> default_backend web1_cluster >> option httplog >> log global >> #option dontlognull >> log /dev/log local0 debug >> mode http >> option forwardfor # forward IP >> http-request set-header X-Forwarded-Port %[dst_port] >> http-request add-header X-Forwarded-Proto https if { ssl_fc } >> redirect scheme https if !{ ssl_fc } >> >> acl host_web3 path_beg /jhub >> use_backend web3_cluster if host_web3 >> >> backend >> server web1.oit.uci.edu 128.110.80.5:80 check >> >> this works for the most part. But I am confused with a problem. when I >> get to my application, my backend IP address shows up in the browser URL. >> >> for example, I see this in my browser: >> >> http://128.110.80.5/jhub/user/itoufiqu/tree? >> >> whereas, I was expecting that it would show the original URL, such as: >> >> http://crsplab2.domain.com/jhub/user/itoufiqu/tree? ( where >> crsplab2.domain.com is the URL to get HAproxy ) >> > > You need to tell your backend app that it runs behind reverse proxy with > ssl termination and that it's domain/url is https://crsplab2.domain.com > <http://crsplab2.domain.com/jhub/user/itoufiqu/tree>. How you do that > depends on the backend app you are using but most of them like apache2, > tomcat etc. have specific configs that you can find in their documentation. > For example if your backend is apache2 I bet you don't have the DomainName > set in the config in which case it defaults to the host ip address. > You can also try: rspirep ^Location:\ http://(.*):80(.*) Location:\ https:// crsplab2.domain.com <http://crsplab2.domain.com/jhub/user/itoufiqu/tree>:443\2 if { ssl_fc } to fix the URL but note that this will not save you from hard coded url's in the returned html pages the way apache does. > >> While I am no expert in HA proxy world, I think this might due to the >> fact that my backend does not have SSL and HAproxy frontend does have SSL. >> At this point, I would avoid that IP address showing up in the browser. >> what is the best way to accomplish this? >> >> thanks for your continues help! >> >> >> >> >> >> >> On Tue, Oct 23, 2018 at 8:35 AM Aleksandar Lazic <[email protected]> >> wrote: >> >>> Hi. >>> >>> Am 23.10.2018 um 09:04 schrieb Imam Toufique: >>> > I am looking for some help on how to write the following apache >>> proxypass rules >>> > in HAproxy. Not to mention I am at a bit of loss with my first try >>> :-) . Here >>> > are my current proxypass rules: >>> > >>> > ProxyPass http://10.1.100.156:8000/jhub >>> > ProxyPassReverse http://10.1.100.156:8000/jhub >>> >>> Well ProxyPass and ProxyPassReverse do a lot of thinks not just >>> rewrites, as >>> mentioned in the doc >>> >>> https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypass >>> https://httpd.apache.org/docs/2.4/mod/mod_proxy.html#proxypassreverse >>> >>> >>> > <LocationMatch >>> "/jhub/(user/[^/]*)/(api/kernels/[^/]+/channels/websocket)(.*)"> >>> > ProxyPassMatch ws://10.1.100.156:8000/jhub/$1/$2$3 >>> > ProxyPassReverse ws://10.1.100.156:8000/jhub/$1/$2$3 >>> > </LocationMatch> >>> > >>> > As I am not well versed in the massive HAproxy configuration guide, if >>> any of >>> > you can give me a hand with this, I would very much appreciate it. >>> >>> I'm also not "that" expert but I would try the following, untested. >>> >>> ### >>> defaults >>> mode http >>> log global >>> >>> #... maybe some other settings >>> timeout tunnel 10h >>> >>> frontend https_001 >>> >>> #... maybe some other settings >>> >>> acl websocket path_beg /jhub >>> >>> #... maybe some other acls >>> >>> use_backend websocket_001 if websocket >>> >>> backend websocket_001 >>> >>> reqrep "^([^\ :]*) >>> /jhub/(user/[^/]*)/(api/kernels/[^/]+/channels/websocket)(.*)" >>> "/jhub/\1/\2\3" >>> >>> # You will need to replace the first column with the response from the >>> # backend response >>> # rspirep "^Location: >>> /jhub/(user/[^/]*)/(api/kernels/[^/]+/channels/websocket)(.*)" "Location: >>> /jhub/\1/\2\3" >>> # OR >>> # http-response replace-header Location >>> "/jhub/(user/[^/]*)/(api/kernels/[^/]+/channels/websocket)(.*)" >>> "/jhub/\1/\2\3" >>> >>> # add some checks >>> >>> server ws_01 10.1.100.156:8000 check >>> ### >>> >>> Here are some links which may help you also. >>> >>> https://www.haproxy.com/blog/websockets-load-balancing-with-haproxy/ >>> https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-reqirep >>> https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#4-rspirep >>> >>> I would run haproxy in Debug mode and see how the request pass haproxy >>> and adopt >>> the config. >>> >>> It would be nice when you show us the working conf ;-) >>> >>> It would be nice to have a >>> >>> http-request replace-uri <match-regex> <replace-fmt> >>> >>> to replace the reqrep. >>> >>> > thanks >>> >>> Hth >>> Aleks >>> >>> >> >> -- >> Regards, >> *Imam Toufique* >> *213-700-5485* >> > -- Igor Cicimov | DevOps p. +61 (0) 433 078 728 e. [email protected] <http://encompasscorporation.com/> w*.* www.encompasscorporation.com a. Level 4, 65 York Street, Sydney 2000
