Access web based applications using an alias instead of a port
-
-
i dont fully understand what the problem is, basically the browser requests should just get forwarded to the webserver if all conditions are met.
-you have configured a dns hostoverride for the name in dnsforwarder?
-you have a acl that uses hostmatches with the same name as what you type in the browser?
-does haproxy return a error page?
-what does the browser say exactly? that it cant connect to the webserver or that it didnt get a reply? or what? -
you might be able to add a header with credentials, though basically defeats the purpose of having a login at all doesn't it?
Place this into the 'Backend pass thru':
http-request add-header Authorization:Basic YWRtaW46cGFzcw==- you might be able to rewrite the requests, however make sure that links generated in the body of reply's are returned to the client 'correctly'. So they must either be 'relative links', or must take into account the user will be using a different url. HAProxy will not change the body contents of a reply..
reqirep ^([^\ :]*)\ /(.*) \1\ /app1/\2If the reply url's dont work anymore you might have some luck with this, as it allows the app1 path to be requested directly by the browsers:
acl no_redir url_beg /app1/ reqirep ^([^\ :]*)\ /(.*) \1\ /app1/\2 if !no_redir -
-
Where do I add the lines for #2 and #3?
I've added the applications that are in a directory and one has a LastChk "Layer 7 wrong status: ERROR" and the other has "Layer 7 wrong status: Not Found". Both of them give a 503 error when I type them into the web browser.
-
-
Define what "applications" we are talking about. Simple websites? Tied to a database?
-
Why is everything listening on a different port?
-
-
These are applications that are used through a web UI (you access them through the website. They do have databases, but those are internal ones (they store everything in internal .db files and config files).
They have different ports because everything is running on one server. None of this would have been an issue if I had multiple servers, but unfortunately, I do not.
-
Tear everything down, and I do mean everything. From the servers, to haproxy. I can't believe no one asked these questions before diving into haproxy. haproxy is for failover/loadbalancing multi-thousand visitors per second, not this use case.
Start from the start using virtual hosts for the websites, all running on the same port. Both apache and nginx can do this easily. duckduckgo (or google) for virtual hosts.
Unless running XP <sp3, use="" sni="" for="" ssl="" (don't="" be="" scared,="" it's="" just="" an="" extra="" line="" in="" the="" config="" each="" website).="" you="" don't="" need="" a="" different="" ip="" every="" site.="" again,="" duckduckgo="" is="" your="" friend.<br="">When you are done with setting up the server, (and did I mention uninstall haproxy?) go into the DNS forwarder and set up the forwards:
domain IP
subdomain1.domain.com 192.168.1.10
subdomain2.domain.com 192.168.1.10
etc…etc... replacing subdomains, domains and IPs with your needed configurations.That should give you what you are looking for, with a lot less time spent on your part, time which was spent learning something new, as opposed to figuring how stuff works.</sp3,>
-
In my opinion Haproxy is a perfectly valid option for small sites needing some 'smart' switching to different webservers even with only small amounts of visitors, and has very little overhead. Though i agree, if everything is running on 1 webserver, and you have good control over that 'virtual hosts' does sound good. However if your running some other 'websites' like Outlook Web Access, together with some other applications integrated websites, together with a normal iis website, together with a apache website. It might not be easy to put it all together using virtual hosts.. I dont know what and why its running the way it currently is.. I assumed there was a good reason for it, maybe i was wrong..
As my response for getting it to work in haproxy, all the 'code' can be put into the 'Backend pass thru'.
For the layer7 errors, what happens if you directly visit those servers with a browser "http://<server>:8081/" ? Do you also get an error? What do you need to do to resolve that issue ? If http://<server>:8081/app1/ does 'work' then you must make sure that the httpchk also uses that url to perform the checks fill in the 'Http check URI' with '/app1/'
Those 'errors' are returned by the webserver, so make sure you know what is needed in the request to get a valid response.. Try with curl to query the website yourself and find what is needed to get a '200' response.
As long as the health checks say the server is 'down' haproxy wont allow any clients to connect so the 503 response is valid for those situations..
As a workaround you might set for example "http-check expect status 404". Though that increases the risk of haproxy falsely identifying the backend as 'up'.. Or you might go back to healthcheck method 'basic' which only does a TCP connect&disconnect..</server></server>
-
Using a reverse proxy that can read host-headers is a common solution to this problem. Not the only one though.
Steve
-
@jflsakfja:
Tear everything down, and I do mean everything. From the servers, to haproxy. I can't believe no one asked these questions before diving into haproxy. haproxy is for failover/loadbalancing multi-thousand visitors per second, not this use case.
Start from the start using virtual hosts for the websites, all running on the same port. Both apache and nginx can do this easily. duckduckgo (or google) for virtual hosts.
Unless running XP <sp3, use="" sni="" for="" ssl="" (don't="" be="" scared,="" it's="" just="" an="" extra="" line="" in="" the="" config="" each="" website).="" you="" don't="" need="" a="" different="" ip="" every="" site.="" again,="" duckduckgo="" is="" your="" friend.<br="">When you are done with setting up the server, (and did I mention uninstall haproxy?) go into the DNS forwarder and set up the forwards:
domain IP
subdomain1.domain.com 192.168.1.10
subdomain2.domain.com 192.168.1.10
etc…etc... replacing subdomains, domains and IPs with your needed configurations.That should give you what you are looking for, with a lot less time spent on your part, time which was spent learning something new, as opposed to figuring how stuff works.</sp3,>
Using VirtualHosts was actually my first choice. The issue was that I wasn't able to find a way to just forward ports on an application. All the documentation that I've found kept asking me for the directory where the website is. Since this is an application with a web frontend, I was never able to get it to work (I WAS able to get it to work when I had multiple websites in different directories running on Apache). If you know of a way of getting around that (I'm sure that I'm just missing something), I'd be more than happy for any guidance.
As my response for getting it to work in haproxy, all the 'code' can be put into the 'Backend pass thru'.
For the layer7 errors, what happens if you directly visit those servers with a browser "http://<server>:8081/" ? Do you also get an error? What do you need to do to resolve that issue ? If http://<server>:8081/app1/ does 'work' then you must make sure that the httpchk also uses that url to perform the checks fill in the 'Http check URI' with '/app1/'
Those 'errors' are returned by the webserver, so make sure you know what is needed in the request to get a valid response.. Try with curl to query the website yourself and find what is needed to get a '200' response.
As long as the health checks say the server is 'down' haproxy wont allow any clients to connect so the 503 response is valid for those situations..
As a workaround you might set for example "http-check expect status 404". Though that increases the risk of haproxy falsely identifying the backend as 'up'.. Or you might go back to healthcheck method 'basic' which only does a TCP connect&disconnect..</server></server>
So for all apps that are just http://<server>:<port>, everything works great once I've implemented your advice. However, websites that are http://<server>:<port>/app, do not work. Those are the ones that are giving me the errors. When I just go to http://<server>: <port>for the corresponding app, I get either a 404 error or an "invalid request". The issue is that I can't figure out how to add the path to HAProxy to tell it where the app is.
Using a reverse proxy that can read host-headers is a common solution to this problem. Not the only one though.
Is that something that pfSense has built in?</port></server></port></server></port></server>
-
Using VirtualHosts was actually my first choice. The issue was that I wasn't able to find a way to just forward ports on an application. All the documentation that I've found kept asking me for the directory where the website is. Since this is an application with a web frontend, I was never able to get it to work (I WAS able to get it to work when I had multiple websites in different directories running on Apache). If you know of a way of getting around that (I'm sure that I'm just missing something), I'd be more than happy for any guidance.
Please define what you mean by "application". A php script can be considered an application. Without knowing more details about what you are trying to do, I can't exactly give sane advice. Not that I do at other times, but I digress ;D
-
I have a few apps, some are python based, while other are .NET based. They all start by running an executable. They simply have a web frontend as opposed to a "regular" application GUI. Since they're running as a Windows process, I can't really point to a web directory (/www/htdocs/).
-
How are the web front ends rendered? They have to be somewhere that's accessing by the webserver, unless they do their own serving outside the webserver. In that case, put all the frontends in separate directories using virtual hosts, and point them to their required executables. Which is bad, but that's another story. If they do their own serving then this rules out my suggestions.
-
If http://<server>:8081/app1/ does 'work' then you must make sure that the httpchk also uses that url to perform the checks fill in the 'Http check URI' with '/app1/'</server>
-
Oops I missed that sentence :) So everything works now! I'm getting a good health check. The issue though is that when I go to http://app1, it takes me to http://<server>:<port>, instead of http://<server>:<port>/app1. Where can I add the /app1 part?</port></server></port></server>
-
Hope this helps, put the code in the 'Backend pass thru':
Code to change a request from / to /app1/
reqirep ^([^\ :]*)\ /(.*) \1\ /app1/\2If urls in the response contain absolute urls it might be required to use this:
acl no_redir url_beg /app1/ reqirep ^([^\ :]*)\ /(.*) \1\ /app1/\2 if !no_redirThe code makes sure that the method and url-path behind the / stays the same. Which method you need exactly might depend on the application thats running.
For readability of the above how change a request from /app1/ to /app1/app1redir/reqirep ^([^\ :]*)\ /app1/(.*) \1\ /app1/app1redir/\2If those above dont work you might still be able to get a acceptable workaround by using a redirect:
acl no_redir url_beg /app1/ http-request redirect location http://%[req.hdr(Host)]/app1/ if !no_redirActually most of this info can be found in the manual, have you seen it?: http://cbonte.github.io/haproxy-dconv/configuration-1.5.html
-
Everything works great! Thank you so much for all your help!
