Skip to content

Instantly share code, notes, and snippets.

@ikurni
Last active October 12, 2021 15:07
Show Gist options
  • Save ikurni/3b1a821758f51a195f969ccbe6ea00ea to your computer and use it in GitHub Desktop.
Save ikurni/3b1a821758f51a195f969ccbe6ea00ea to your computer and use it in GitHub Desktop.
HAProxy Replace URL Headers and Redirect HTTPS to HTTP
### Create SSL file for HTTPS traffic
mkdir /etc/haproxy/ssl
cat /root/wildcard.example.com.crt /root/wildcard.example.com.key >> /root/wildcard.example.com.pem
mv /root/wildcard.example.com.pem /etc/haproxy/ssl/
### Configure HAProxy.cfg to accept HTTPS, redirect HTTPS to HTTP and replace header to targeted URL
vi /etc/haproxy/haproxy.cfg
#---
#---------------------------------------------------------------------
# Example configuration for a possible web application. See the
# full configuration options online.
#
# https://www.haproxy.org/download/1.8/doc/configuration.txt
#
#---------------------------------------------------------------------
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
#local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048
# turn on stats unix socket
stats socket /var/lib/haproxy/stats
# utilize system-wide crypto-policies
ssl-default-bind-ciphers PROFILE=SYSTEM
ssl-default-server-ciphers PROFILE=SYSTEM
#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
userlist http_users
user abc insecure-password abc123!!
frontend main
bind 0.0.0.0:6443
default_backend api6443
backend api6443
balance source
mode tcp
server prdcluster-master1.dc.example.co.id prdcluster-master1.dc.example.co.id:6443 check
server prdcluster-master2.dc.example.co.id prdcluster-master2.dc.example.co.id:6443 check
server prdcluster-master3.dc.example.co.id prdcluster-master3.dc.example.co.id:6443 check
frontend main2
bind 0.0.0.0:22623
default_backend api22623
backend api22623
balance source
mode tcp
server prdcluster-master1.dc.example.co.id prdcluster-master1.dc.example.co.id:22623 check
server prdcluster-master2.dc.example.co.id prdcluster-master2.dc.example.co.id:22623 check
server prdcluster-master3.dc.example.co.id prdcluster-master3.dc.example.co.id:22623 check
frontend main3
bind 0.0.0.0:443 ssl crt /etc/haproxy/ssl/wildcard.example.co.id.pem
mode http
acl ACL_frontend_abc hdr(host) -i frontend.example.co.id
acl ACL_admin_frontend hdr(host) -i admin-frontend.example.co.id
use_backend router80 if ACL_frontend_abc
use_backend 2router80 if ACL_admin_frontend
default_backend router443
stats uri /haproxy?stats
backend router443
balance source
mode http
server prdcluster-infra1.dc.example.co.id prdcluster-infra1.dc.example.co.id:443 check
server prdcluster-infra2.dc.example.co.id prdcluster-infra2.dc.example.co.id:443 check
server prdcluster-infra3.dc.example.co.id prdcluster-infra3.dc.example.co.id:443 check
frontend main4
bind 0.0.0.0:80
mode http
redirect scheme https if !{ ssl_fc }
default_backend router80
stats uri /haproxy?stats
backend router80
balance source
http-request replace-header Host frontend.example.co.id app-pp.apps.prdocp.dc.example.co.id
#http-request replace-header Host frontend.example.co.id blank-page-git-openshift.apps.prdocp.dc.example.co.id
mode http
server prdcluster-infra1.dc.example.co.id prdcluster-infra1.dc.example.co.id:80 check
server prdcluster-infra2.dc.example.co.id prdcluster-infra2.dc.example.co.id:80 check
server prdcluster-infra3.dc.example.co.id prdcluster-infra3.dc.example.co.id:80 check
backend 2router80
balance source
http-request replace-header Host admin-frontend.example.co.id pp-fe-admin.apps.prdocp.dc.example.co.id
mode http
acl auth_ok http_auth(http_users)
#http-request auth unless auth_ok
http-request auth realm admin-frontend.example.co.id if !auth_ok
#reqadd X-Forwarded-Proto:\ https
server prdcluster-infra1.dc.example.co.id prdcluster-infra1.dc.example.co.id:80 check
server prdcluster-infra2.dc.example.co.id prdcluster-infra2.dc.example.co.id:80 check
server prdcluster-infra3.dc.example.co.id prdcluster-infra3.dc.example.co.id:80 check
#---
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment