Redirection of JBoss web server using HAproxy with ACL

wesleylc1 · Oct 8, 2020, 2:30 AM

Dear friends,

I publish some web servers externally using "pfsense 2.4.4-RELEASE-p3 + haproxy-devel", and use the "ACL" rules to redirect some subdomains that respond in two "Frontend" "http and https" and work successfully, but I am having trouble configuring "ACL" for a new "JBoss" server, when configuring the settings for external publishing, it does not direct the way I want.

Below I will inform details of the settings applied in HAproxy:

1) As shown, this server is using "http", responsive on port "8180", so I made the configuration of a new "Backend" applying the configurations below:

2) In the "http" frotend, I configured a new ACL "gedproj-web" with the value "gedproj-web.projectus.com.br".

3) Below in actions, I added a new responsive rule to ACL previously informed and associated to my new "JBoss" server.

Important: As previously mentioned, the web server is accessible externally, but when accessing it, it is redirected only to the application if the address [http://gedproj-web.projectus.com.br/gedproj/] is used, when using [http://gedproj-web.projectus.com.br/] is taken to the JBoss EAP 7 administration page

Thanks in advance!

kiokoman · Oct 8, 2020, 11:27 AM

do you want to redirect? not 100% sure but:
http-request redirect location http://web.projectus.com.br/gedproj/
?

wesleylc1 · Oct 8, 2020, 2:25 PM

Dear @kiokoman,

As the image below shows, I already use the "http-request redirect" that redirects to my main site, and also to some subdomains, whose rule: site is already informed of my main site [http: //www.projectus. com.br] and in Condition Names acl inform conditions for the site [http://gedproj-web.projectus.com.br/gedproj/]

wesleylc1 · Oct 20, 2020, 6:07 PM

Any tips or suggestions to solve this problem?

dragoangel · Oct 26, 2020, 12:01 AM

Hi, you want to get site working under root path of domain and not as subpath?

Then you need create on backend action:

http-request set-path /gedproj%[path]

Also: why you use http?! You can do easily pfsense ACME plugin + HAproxy acme lua script to get free let's encrypt ssl and then redirect all non /.well-known/acme-chalange to https

wesleylc1 · Oct 26, 2020, 7:23 AM

Hello @dragoangel I have the wildcard certificate "Wildcard certificate", as it is a new web server, at first I'm trying to adjust the redial rules, then I want to adjust to use this https server.

The domain's root site responds at [projectus.com.br], this new application must respond as a subpath [gedproj-web.projectus.com.br/gedproj], redirects only when informing [/ gedproj]

dragoangel · Oct 26, 2020, 7:56 AM

@wesleylc1 I not understand why you say about one domain and then about other when. I don't understand what you want to achieve as you say many stuff but not right to your question. And not only I not understand you, so please can you speak more clear.

If you already have SSL what a point configure all on http and then migrate it to https? This ridiculous wasting of own time.

You want reject client if he go to gedproj-web.projectus.com.br and path not start with /gedproj ? Then this not hard: this sounds exactly I said, 2 ACL (this pseudo code, I writing from phone):
acl example_site host = example.com
acl path_gedproj path start with /gedproj
And 1 action before use backend:
http-request reject 503 if example_site !path_gedproj

But I better in your case put the rewrite rule /gedproj to / and simply provide user access to site at / this much logically as I write in my first comment.

For each new project on this server you will create new backend with rewrite to own path if you want have many projects.

If you want have one project why you not follow:
To replace this page simply deploy your own war with / as its context path.

If as I understand correctly your / now is some sort of welcome panel and admin panel at /console etc. you simply can create another backend for /console and configure it to work on different domain. Optionally you can create ACL which will reject all requests from not whitelisted ips or allow access only from internal vpn network etc.

P.s.: never understand paid certificate when you have letsencrypt, aspecialy now when you even can't buy ssl longer then 1 year.

wesleylc1 · Oct 27, 2020, 1:13 AM

@dragoangel unfortunately my bad English makes communication difficult, but I don't intend to reject the client when accessing [gedproj-web.projectus.com.br], but rather that he be redirected to the application's authentication page, as shown in the image below.

As you said ... "there is no reason to spend my time first configuring the application in http ... I already have a wildcard certificate, so I chose to use all this effort to apply https.

In fact I was spending all this time configuring as http and not as https simply because my application doesn't have the certificates configured on the web server yet, but my wildcard certificate is already correctly configured on the "pfsense" firewall, so I believe there is no impediment in configure the new backend in https.

In my environment I already have several backend servers using http or https frontend, I believe my https frontend was already using the suggested logic, so I just followed the logic already used and entered the information for this new project, as shown below.

frontend HA_Sistemas-https
	bind			189.20.XX.XX:443 name 189.20.XX.XX:443   ssl crt-list /var/etc/haproxy/HA_Sistemas-https.crt_list 

acl rootrequested var(txn.txnpath) -m str -i /
acl appone var(txn.txnhost) -m str -i time-appone.projectus.com.br
acl gedproj-web var(txn.txnhost) -m str -i gedproj-web.projectus.com.br

http-request set-var(txn.txnpath) path
http-request set-var(txn.txnhost) hdr(host)
http-request redirect location /appone/faces/login.xhtml  if  rootrequested appone
http-request redirect location /gedproj/  if  rootrequested gedproj-web 
use_backend HA_Sistemas_43-115_8443-gedproj-web_ipvANY  if  gedproj-web 
default_backend HA_Sistemas_43-235_8443_ipvANY

dragoangel · Oct 27, 2020, 7:16 AM

This not matter how you know English, you can use translation software. I don't see any questions. I don't see where you asking for help and what is your issue - all you wrote is description of what you have now. You issue is solved or wasn't exist? 🤨

wesleylc1 · Oct 27, 2020, 6:01 PM

@dragoangel Yes, it is already resolved, it is now possible to redirect successfully to my web application, and already using https, as shown in the image below.

I take this opportunity to thank you and everyone who somehow interacted for a solution to my problem, grateful for all the support and patience in the instructions.