I don't just want to access the URL or the domain on my load balancer with HAproxy, but also the protocol (http, https, ws...) How can I do this for websocket scheme?
acl ws_wfe01 hdr(host) -I example.de
acl ws_wfe02 hdr(Upgrade) -i WebSocket
acl ws_wfe03 hdr_beg(host) -i ws
A colleague of mine and I found a workable solution:
acl hdr_connection_upgrade hdr(Connection) -i upgrade
acl hdr_upgrade_websocket hdr(Upgrade) -i websocket
Related
I'm trying to setup HAProxy for 1 Domain and 1 Subdomain.
The actual situation is that:
Internet -> pfSense Firewall -> HAProxy -> SRV1 (192.168.100.1) domain.com
-> SRV2 (192.168.100.2) srv2.domain.com
Actually it IS working - I can access SRV1 if I type domain.com and I can access SRV2 if I type srv2.domain.com.. BUT:
If I open my Browser and type domain.com and open a new tab with srv2.domain.com, the 2nd tab (srv2) points me to domain.com instead of srv2.domain.com.. Same happens vice versa.. If I first browse to srv2.domain.com and then browse to domain.com, it points me to srv2.. So I always have to restart my browser if I want to browse to SRV1 and to SRV2..
here's my HAProxy config:
acl host_srv2 hdr_dom(host) -i srv2.domain.com
acl host_domain hdr_dom(host) -i domain.com
use_backend srv2 if host_srv2
use_backend domain if host_domain
backend srv2
balance roundrobin
option httpclose
option forwardfor
cookie JSESSIONID prefix
server srv2 192.168.100.2:80 check
backend domain
balance roundrobin
option httpclose
option forwardfor
cookie JSESSIONID prefix
server domain 192.168.100.1:80 check
do you have any Ideas?
Change your acl's to:
acl host_domain hdr_dom(host) -i domain.com
acl host_server hdr_dom(host) -i srv2.domain.com
`
Once the first match hits it will skip remaining acl
I am running an haproxy configuration on mac that works perfect on linux but I can't get the proxy to even respond. Here is my config:
defaults
mode http
timeout connect 5000ms
timeout client 5000ms
timeout server 5000ms
frontend http
bind *:80
acl oracle_content hdr(ContentType) -i application/vnd.api+json
acl oracle_accept hdr(Accept) -i application/vnd.api+json
use_backend oracle_be if oracle_content
use_backend oracle_be if oracle_accept
default_backend matrix_be
backend oracle_be
balance roundrobin
server oracle1 theoracle.stage.company.com:8080
backend matrix_be
balance roundrobin
server matrix1 192.168.1.6:3000
docker run -d --name cc -v /Users/cbongiorno/development/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro haproxy
docker -v
Docker version 1.12.0, build 8eab29e
the only machine specific config is the IP adress of the matrix_be entry which has to be my local interface. It's not working on 2 macs and I have tried binding the proxy to multiple interfaces. I am not even getting a 504 which would indicate the proxy is fine but one of the backend services is misconfigured.
Ideas?
Due to current docker on mac limitations, the -p 80:80 flag must be passed even if the container declares port 80 open for business
Hope someone can help me :)
I try to configure HAProxy for plex redirection but didn't found the solution yet.
So basically to run plex home page you should go to => IPADRESS:PORT/web which redirect to IPADRESS:PORT/web/index.html
I made this kind of redirect:
use_backend plex if { hdr_beg(Host) -i plex. }
backend plex
server plex localhost:32400 check
This is ok, i can join plex => plex.mydomain.tld/web
But i would like to be able to join plex with this URL => plex.mydomain.tld
I tried to add this line:
reqrep ^([^\ :]*)\ /(.*) \1\ /web\2
Changing is fine, my URL switch to => plex.mydomain.tld/web/index.html
But i have a 404 ERROR...
What kind of trick i should do to acces plex from plex.mydomain.tld ?
Thanks !
Found some info that helped me figure it out:
global
log 127.0.0.1 syslog
maxconn 1000
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 4096
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-bind-ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
defaults
log global
mode http
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
option contstats
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout check 10s
listen stats
bind *:9090
mode http
maxconn 10
stats enable
stats hide-version
stats realm Haproxy\ Statistics
stats uri /
stats auth admin:admin
frontend ALL
bind *:80
bind *:443 ssl crt /etc/haproxy/certs/nomercy.myqnapcloud.com.pem crt /etc/haproxy/certs/nomercy.myqnapcloud.com.pem
mode http
# Define path for lets encrypt
acl is_letsencrypt path_beg -i /.well-known/acme-challenge/
use_backend letsencrypt if is_letsencrypt
# Define hosts
acl host_website hdr(host) -i nomercy.myqnapcloud.com
# Direct hosts to backend
use_backend website if host_website
# Redirect port 80 to 443
# But do not redirect letsencrypt since it checks port 80 and not 443
redirect scheme https code 301 if !{ ssl_fc } !is_letsencrypt
backend letsencrypt
server letsencrypt 127.0.0.1:8888
backend website
balance roundrobin
option httpchk GET /check
cookie SERVERID insert indirect nocache
http-check expect rstring ^UP$
default-server inter 3s fall 3 rise 2
server server1 192.168.2.151:8888 check
server server2 192.168.2.152:8888 check
server server3 192.168.2.153:8888 check
listen plex
bind *:32400 ssl crt /etc/haproxy/certs/nomercy.myqnapcloud.com.pem crt /etc/haproxy/certs/nomercy.myqnapcloud.com.pem
balance roundrobin
option httpchk GET /check
http-check expect rstring ^UP$
default-server inter 3s fall 3 rise 2
server server1 192.168.2.149:32400 check port 8888
server server2 192.168.2.148:32400 check port 8888
server server3 192.168.2.147:32400 check port 8888
You can remove the ssl credentials if you don't have it installed.
The problem here unfortunately has nothing to do with your HAProxy configuration. Instead it is Plex that is causing the issue.
Example
With your configuration, when you go to plex.mydomain.tld HAProxy is adding in the /web and as a result Plex gets the following url: plex.mydomain.tld/web. This is correct however Plex will then want to forward the browser on to plex.mydomain.tld/web/index.html. But when the browser sends a request or that url, HAProxy steps in and adds that extra /web again and the resulting url that is set to Plex is plex.mydomain.tld/web/web/index.html which doesn't exist and hence the 404 error you got.
While going to plex.mydomain.tld/index.html may work, I assume all links from that page to any other page won't work due to the say issue.
To solve this you could
Look through Plex's configuration to see if it is possible to run it with out the /web.
Taking inspiration from here, you could configure HAProxy something like this:
frontend http
mode http
bind *:80
acl plex hdr_beg(Host) -i plex.
acl root_dir path_reg ^$|^/$
acl no_plex_header req.hdr_cnt(X-Plex-Device-Name) -i 0
redirect location http://plex.mydomain.tld/web/index.html 301 if no_plex_header root_dir plex
use_backend plex if plex
backend plex
server plex localhost:32400 check
The key difference being the redirect location line which will redirect from / to /web/index.html if the header X-Plex-Device-Name isn't set. The reason you have to check for the header is that it appears that plex uses / for something else.
Note: This config is an example and I haven't tested this at all
Hope that helps.
I want to echo that I used the solution provided by JamesStewy and it worked, with the minor correction;
redirect location http://plex.mydomain.tld/web/index.html code 301 if no_plex_header root_dir plex
At least, that was necessary for me (running haproxy 1.7.2).
Can I block https://www.facebook.com through Squid?
It is working very nicely except HTTPS sites
I am using Squid 3.1 in Debian 7
Yes, you can. You should also block it with CONNECT:
acl fb dstdomain .facebook.com
http_reply_access deny fb
http_access deny CONNECT fb
then:
squid3 -k reconfigure
or
squid -k reconfigure
Now, it is done!
I enable Squid transparent in windows using this method (youtube link). But after enabled, pages with HTTPS is showing error.
In Chrome this message is: SSL Connection Error (ERR_SSL_PROTOCOL_ERROR)
In Firefox: Security Connection Fail (Error code: ssl_error_rx_record_too_long)
IE: Check if TLS and SSL Protocols has enabled.
Is possible disable the SSL / HTTPS in squid?
Or solve this problem in another way.
Tks.
Yes, I didn't watch the video clip - but simply tell your browser to not use the proxy for HTTPS or port 443.
Alternately, if you're using the transparent firewall method, you can either tell the firewall to skip port 443, or to ONLY redirect port 80 through the proxy eg.
iptables -t nat -I PREROUTING -p tcp --dport 443 -j ACCEPT
the above will just accept HTTPS-port traffic and ignore all the other firewall rules for it
or
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to 3128
which will only redirect port 80 to your transparent squid.
PS It's a really bad idea to try and proxy SSL - it completely defeats the purpose of SSL.
According to this link: http://wiki.squid-cache.org/KnowledgeBase/Windows
Squid features not operational:
DISKD: still needs to be ported
Transparent Proxy: missing Windows non commercial interception driver
SMP support: Windows equivalent of UDS sockets has not been implemented
So it might not be possible to use squid as transparent proxy on window.