Last active
October 12, 2021 15:07
-
-
Save ikurni/3b1a821758f51a195f969ccbe6ea00ea to your computer and use it in GitHub Desktop.
HAProxy Replace URL Headers and Redirect HTTPS to HTTP
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### Create SSL file for HTTPS traffic | |
mkdir /etc/haproxy/ssl | |
cat /root/wildcard.example.com.crt /root/wildcard.example.com.key >> /root/wildcard.example.com.pem | |
mv /root/wildcard.example.com.pem /etc/haproxy/ssl/ | |
### Configure HAProxy.cfg to accept HTTPS, redirect HTTPS to HTTP and replace header to targeted URL | |
vi /etc/haproxy/haproxy.cfg | |
#--- | |
#--------------------------------------------------------------------- | |
# Example configuration for a possible web application. See the | |
# full configuration options online. | |
# | |
# https://www.haproxy.org/download/1.8/doc/configuration.txt | |
# | |
#--------------------------------------------------------------------- | |
#--------------------------------------------------------------------- | |
# Global settings | |
#--------------------------------------------------------------------- | |
global | |
# to have these messages end up in /var/log/haproxy.log you will | |
# need to: | |
# | |
# 1) configure syslog to accept network log events. This is done | |
# by adding the '-r' option to the SYSLOGD_OPTIONS in | |
# /etc/sysconfig/syslog | |
# | |
# 2) configure local2 events to go to the /var/log/haproxy.log | |
# file. A line like the following can be added to | |
# /etc/sysconfig/syslog | |
# | |
#local2.* /var/log/haproxy.log | |
# | |
log 127.0.0.1 local2 | |
chroot /var/lib/haproxy | |
pidfile /var/run/haproxy.pid | |
maxconn 4000 | |
user haproxy | |
group haproxy | |
daemon | |
tune.ssl.default-dh-param 2048 | |
# turn on stats unix socket | |
stats socket /var/lib/haproxy/stats | |
# utilize system-wide crypto-policies | |
ssl-default-bind-ciphers PROFILE=SYSTEM | |
ssl-default-server-ciphers PROFILE=SYSTEM | |
#--------------------------------------------------------------------- | |
# common defaults that all the 'listen' and 'backend' sections will | |
# use if not designated in their block | |
#--------------------------------------------------------------------- | |
defaults | |
log global | |
option httplog | |
option dontlognull | |
option http-server-close | |
option forwardfor except 127.0.0.0/8 | |
option redispatch | |
retries 3 | |
timeout http-request 10s | |
timeout queue 1m | |
timeout connect 10s | |
timeout client 1m | |
timeout server 1m | |
timeout http-keep-alive 10s | |
timeout check 10s | |
maxconn 3000 | |
userlist http_users | |
user abc insecure-password abc123!! | |
frontend main | |
bind 0.0.0.0:6443 | |
default_backend api6443 | |
backend api6443 | |
balance source | |
mode tcp | |
server prdcluster-master1.dc.example.co.id prdcluster-master1.dc.example.co.id:6443 check | |
server prdcluster-master2.dc.example.co.id prdcluster-master2.dc.example.co.id:6443 check | |
server prdcluster-master3.dc.example.co.id prdcluster-master3.dc.example.co.id:6443 check | |
frontend main2 | |
bind 0.0.0.0:22623 | |
default_backend api22623 | |
backend api22623 | |
balance source | |
mode tcp | |
server prdcluster-master1.dc.example.co.id prdcluster-master1.dc.example.co.id:22623 check | |
server prdcluster-master2.dc.example.co.id prdcluster-master2.dc.example.co.id:22623 check | |
server prdcluster-master3.dc.example.co.id prdcluster-master3.dc.example.co.id:22623 check | |
frontend main3 | |
bind 0.0.0.0:443 ssl crt /etc/haproxy/ssl/wildcard.example.co.id.pem | |
mode http | |
acl ACL_frontend_abc hdr(host) -i frontend.example.co.id | |
acl ACL_admin_frontend hdr(host) -i admin-frontend.example.co.id | |
use_backend router80 if ACL_frontend_abc | |
use_backend 2router80 if ACL_admin_frontend | |
default_backend router443 | |
stats uri /haproxy?stats | |
backend router443 | |
balance source | |
mode http | |
server prdcluster-infra1.dc.example.co.id prdcluster-infra1.dc.example.co.id:443 check | |
server prdcluster-infra2.dc.example.co.id prdcluster-infra2.dc.example.co.id:443 check | |
server prdcluster-infra3.dc.example.co.id prdcluster-infra3.dc.example.co.id:443 check | |
frontend main4 | |
bind 0.0.0.0:80 | |
mode http | |
redirect scheme https if !{ ssl_fc } | |
default_backend router80 | |
stats uri /haproxy?stats | |
backend router80 | |
balance source | |
http-request replace-header Host frontend.example.co.id app-pp.apps.prdocp.dc.example.co.id | |
#http-request replace-header Host frontend.example.co.id blank-page-git-openshift.apps.prdocp.dc.example.co.id | |
mode http | |
server prdcluster-infra1.dc.example.co.id prdcluster-infra1.dc.example.co.id:80 check | |
server prdcluster-infra2.dc.example.co.id prdcluster-infra2.dc.example.co.id:80 check | |
server prdcluster-infra3.dc.example.co.id prdcluster-infra3.dc.example.co.id:80 check | |
backend 2router80 | |
balance source | |
http-request replace-header Host admin-frontend.example.co.id pp-fe-admin.apps.prdocp.dc.example.co.id | |
mode http | |
acl auth_ok http_auth(http_users) | |
#http-request auth unless auth_ok | |
http-request auth realm admin-frontend.example.co.id if !auth_ok | |
#reqadd X-Forwarded-Proto:\ https | |
server prdcluster-infra1.dc.example.co.id prdcluster-infra1.dc.example.co.id:80 check | |
server prdcluster-infra2.dc.example.co.id prdcluster-infra2.dc.example.co.id:80 check | |
server prdcluster-infra3.dc.example.co.id prdcluster-infra3.dc.example.co.id:80 check | |
#--- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment