问题
I am trying to get the requester host/ip as it comes to haproxy node. My haproxy config is as below:
frontend www-http
bind *:9000
http-request redirect location https://%fi:9143
frontend www-https
bind *:9143 ssl crt /root/keys.pem
reqadd X-Forwarded-Proto:\ https
default_backend www-backend
backend www-backend
balance roundrobin
cookie SERVERID insert indirect nocache
server server1 1.1.1.1:9080 cookie server1 weight 1 maxconn 1024 check
So here, if any http request comes, then I need to forward to https. Now request may come either with ip address or hostname in fully qualified form, like
http://10.10.10.10:9000
this needs to be forwarded to https://10.10.10.10:9143
Again, the request may come hostname in fully qualified form, like
http://myhost.domain.com:9000
this needs to be forwarded to https://myhost.domain.com:9143
basically 10.10.10.10 and myhost.domain.com is same system.
Now with the above haproxy configuration, I am not able to get the below, as it is %fi (frontend_ip), so it is redirecting to https://10.10.10.10:9143
So my question is how I can get the haproxy node's ip/host as it comes to haproxy.
I tried below options, which did not work:
http-request redirect location https://%f:9143
http-request redirect location https://%[req.hdr(Host)]:9143
from https://www.haproxy.com/doc/aloha/7.0/haproxy/log_format_rules.html
回答1:
You can get the Source address through the src var.
Haproxy holds the requester IP under this , and can be used in acl's and other places.
For logging use it in the following manner : %[src]
Check out these links : src and fetching-samples(under layer 4)
回答2:
See How do I set a dynamic variable in HAProxy? for additional details, but using that as a base, here is what should work for you:
frontend www-http
bind *:9000
# Redirect user from http port to https port
http-request set-var(req.hostname) req.hdr(Host),field(1,:),lower
http-request redirect code 301 location https://%[var(req.hostname)]:9143 if !{ ssl_fc }
frontend www-https
bind *:9143 ssl crt /root/keys.pem
reqadd X-Forwarded-Proto:\ https
default_backend www-backend
backend www-backend
balance roundrobin
cookie SERVERID insert indirect nocache
server server1 1.1.1.1:9080 cookie server1 weight 1 maxconn 1024 check
My situation was a little different as I was only looking to redirect a stats UI URL so I didn't have to go update each stats URL in our internal documentation. Here is what worked for my situation (in case it helps someone else):
userlist stats-auth
group admin users adminuser
group readonly users readonlyuser
# Passwords created via mkpasswd -m sha-512 PASSWORD_HERE
user adminuser password NOT_REAL_PASSWORD
user readonlyuser password NOT_REAL_PASSWORD
listen stats
# Used just for the initial connection before we redirect the user to https
bind *:4711
# Combined file containing server, intermediate and root CA certs along
# with the private key for the server cert.
bind *:4712 ssl crt /etc/ssl/private/my-site-name_combined_cert_bundle_with_key.pem
option dontlognull
mode http
option httplog
# Redirect user from http port to https port
http-request set-var(req.hostname) req.hdr(Host),field(1,:),lower
http-request redirect code 301 location https://%[var(req.hostname)]:4712/ if !{ ssl_fc }
acl AUTH http_auth(stats-auth)
acl AUTH_ADMIN http_auth_group(stats-auth) admin
stats enable
# The only "site" for using these ports is the admin UI, so use '/' as
# the base path instead of requiring something like '/haproxy_stats' or
# '/stats' in order to display the UI.
stats uri /
# Force a login if not already authenticated
stats http-request auth unless AUTH
# Allow administrator functionality if user logged in using admin creds
# (there are separate read-only username and password pairs)
stats admin if AUTH_ADMIN
I left out the frontend and backend config as those are much longer/detailed.
来源:https://stackoverflow.com/questions/43667953/haproxy-get-the-host-name