HAProxy http-request 将特定路径重定向到另一个路径
HAProxy http-request redirect a specific path to another path
我非常熟悉 HTTP 协议和一点点 HAProxy,但我以前从未真正搞砸过 URL 重写和重定向。现在,我有 2 个 "simple" HTTP 重定向要求,我一直很难搞清楚。
https://appserver.example.com 应该重定向到 https://appserver.example.com/myapp/webapp/?auth=saml 以将用户指向 saml 登录页面。https://appserver.example.com/?auth=standard 应该重定向到 https://appserver.example.com/myapp/webapp/?auth=standard
要求 1 工作正常:
myuser:~ myuser$ curl -I https://appserver.example.com
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://appserver.example.com/myapp/webapp/?auth=saml
Connection: close
myuser:~ myuser$
但是我很难实现#2。正如我所想,关键是添加一个 acl,然后在 acl 匹配时添加另一个 http-request redirect prefix 行。
acl is_auth_std path /?auth=standard
http-request redirect prefix /myapp/webapp/?auth=standard code 301 if is_auth_std
但显然这还不够。 /?auth=standard 仍然重定向到假定的根目录 URL:
myuser:~ myuser$ curl -I https://appserver.example.com/?auth=standard
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://appserver.example.com/myapp/webapp/?auth=saml
Connection: close
myuser:~ myuser$
这些是我的 haproxy.cfg 文件的相关部分:
frontend myapp443-in
mode http
bind *:443 ssl crt /etc/haproxy/ssl/myapp.pem
default_backend myapp443-out
option forwardfor
timeout client 60m
timeout http-keep-alive 10s
timeout http-request 5s
timeout tarpit 60s
acl is_websocket path_beg /myapp/webapp/
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
acl is_root path /
capture request header Host len 64
http-request redirect scheme https code 301 if !{ ssl_fc }
http-request redirect code 301 location https://%[hdr(host)]/myapp/webapp/?auth=saml if is_root
acl is_auth_std path /?auth=standard
http-request redirect prefix /myapp/webapp/?auth=standard code 301 if is_auth_std
backend myapp443-out
cookie SRVID insert indirect nocache maxidle 30m maxlife 1h
option forwardfor
balance leastconn
option ssl-hello-chk
option httpchk GET /myapp/webapp/img/favicon.ico
http-check expect status 200
default-server inter 1s downinter 3s rise 15 fall 15
timeout check 1s
timeout server 60s
timeout tunnel 3600s
timeout queue 30s
timeout connect 5s
http-request add-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https if !{ ssl_fc }
http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubdomains
http-response add-header X-Content-Type-Options nosniff
http-response add-header X-XSS-Protection 1;\ mode=block
http-response add-header Referrer-Policy no-referrer
http-response add-header Feature-Policy accelerometer\ 'none';\ ambient-light-sensor\ 'none';\ autoplay\ 'none';\ camera\ 'none';\ display-capture\ 'none';\ document-domain\ 'none';\ fullscreen\ 'none';\ execution-while-not-rendered\ 'none';\ execution-while-out-of-viewport\ 'none';\ gyroscope\ 'none';\ magnetometer\ 'none';\ microphone\ 'none';\ midi\ 'none';\ payment\ 'none';\ picture-in-picture\ 'none';\ publickey-credentials\ 'none';\ sync-xhr\ 'none';\ usb\ 'none';\ wake-lock\ 'none'
server appserver-01 appserver-01:8443 weight 5 check ssl verify none cookie s1
server appserver-02 appserver-02:8443 weight 5 check ssl verify none cookie s1
知道我遗漏了什么吗?
谢谢。
您将需要使用 url_param 来匹配查询字符串中的参数。
frontend myapp443-in
mode http
bind *:443 ssl crt /etc/haproxy/ssl/myapp.pem
option forwardfor
timeout client 60m
timeout http-keep-alive 10s
timeout http-request 5s
timeout tarpit 60s
# if not https => redirect, no need to check acls
http-request redirect scheme https code 301 if !{ ssl_fc }
acl is_websocket path_beg /myapp/webapp/
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
acl is_root path /
acl is_not_auth_std url_param(auth) ! standard
acl is_not_auth_saml url_param(auth) ! saml
capture request header Host len 64
http-request redirect code 301 location https://%[hdr(host)]/myapp/webapp/?auth=standard if is_not_auth_std is_not_auth_saml
http-request redirect code 301 location https://%[hdr(host)]/myapp/webapp/?auth=saml if is_root
default_backend myapp443-out
redirect prefix 附加一个您可能不想要的 /
我非常熟悉 HTTP 协议和一点点 HAProxy,但我以前从未真正搞砸过 URL 重写和重定向。现在,我有 2 个 "simple" HTTP 重定向要求,我一直很难搞清楚。
https://appserver.example.com应该重定向到https://appserver.example.com/myapp/webapp/?auth=saml以将用户指向saml登录页面。https://appserver.example.com/?auth=standard应该重定向到https://appserver.example.com/myapp/webapp/?auth=standard
要求 1 工作正常:
myuser:~ myuser$ curl -I https://appserver.example.com
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://appserver.example.com/myapp/webapp/?auth=saml
Connection: close
myuser:~ myuser$
但是我很难实现#2。正如我所想,关键是添加一个 acl,然后在 acl 匹配时添加另一个 http-request redirect prefix 行。
acl is_auth_std path /?auth=standard
http-request redirect prefix /myapp/webapp/?auth=standard code 301 if is_auth_std
但显然这还不够。 /?auth=standard 仍然重定向到假定的根目录 URL:
myuser:~ myuser$ curl -I https://appserver.example.com/?auth=standard
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://appserver.example.com/myapp/webapp/?auth=saml
Connection: close
myuser:~ myuser$
这些是我的 haproxy.cfg 文件的相关部分:
frontend myapp443-in
mode http
bind *:443 ssl crt /etc/haproxy/ssl/myapp.pem
default_backend myapp443-out
option forwardfor
timeout client 60m
timeout http-keep-alive 10s
timeout http-request 5s
timeout tarpit 60s
acl is_websocket path_beg /myapp/webapp/
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
acl is_root path /
capture request header Host len 64
http-request redirect scheme https code 301 if !{ ssl_fc }
http-request redirect code 301 location https://%[hdr(host)]/myapp/webapp/?auth=saml if is_root
acl is_auth_std path /?auth=standard
http-request redirect prefix /myapp/webapp/?auth=standard code 301 if is_auth_std
backend myapp443-out
cookie SRVID insert indirect nocache maxidle 30m maxlife 1h
option forwardfor
balance leastconn
option ssl-hello-chk
option httpchk GET /myapp/webapp/img/favicon.ico
http-check expect status 200
default-server inter 1s downinter 3s rise 15 fall 15
timeout check 1s
timeout server 60s
timeout tunnel 3600s
timeout queue 30s
timeout connect 5s
http-request add-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https if !{ ssl_fc }
http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubdomains
http-response add-header X-Content-Type-Options nosniff
http-response add-header X-XSS-Protection 1;\ mode=block
http-response add-header Referrer-Policy no-referrer
http-response add-header Feature-Policy accelerometer\ 'none';\ ambient-light-sensor\ 'none';\ autoplay\ 'none';\ camera\ 'none';\ display-capture\ 'none';\ document-domain\ 'none';\ fullscreen\ 'none';\ execution-while-not-rendered\ 'none';\ execution-while-out-of-viewport\ 'none';\ gyroscope\ 'none';\ magnetometer\ 'none';\ microphone\ 'none';\ midi\ 'none';\ payment\ 'none';\ picture-in-picture\ 'none';\ publickey-credentials\ 'none';\ sync-xhr\ 'none';\ usb\ 'none';\ wake-lock\ 'none'
server appserver-01 appserver-01:8443 weight 5 check ssl verify none cookie s1
server appserver-02 appserver-02:8443 weight 5 check ssl verify none cookie s1
知道我遗漏了什么吗?
谢谢。
您将需要使用 url_param 来匹配查询字符串中的参数。
frontend myapp443-in
mode http
bind *:443 ssl crt /etc/haproxy/ssl/myapp.pem
option forwardfor
timeout client 60m
timeout http-keep-alive 10s
timeout http-request 5s
timeout tarpit 60s
# if not https => redirect, no need to check acls
http-request redirect scheme https code 301 if !{ ssl_fc }
acl is_websocket path_beg /myapp/webapp/
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
acl is_root path /
acl is_not_auth_std url_param(auth) ! standard
acl is_not_auth_saml url_param(auth) ! saml
capture request header Host len 64
http-request redirect code 301 location https://%[hdr(host)]/myapp/webapp/?auth=standard if is_not_auth_std is_not_auth_saml
http-request redirect code 301 location https://%[hdr(host)]/myapp/webapp/?auth=saml if is_root
default_backend myapp443-out
redirect prefix 附加一个您可能不想要的 /