Aleksandar Lazic escribió:
> Hi,
>
> On Don 29.05.2008 20:02, Leo Catalinas wrote:
>>
>> I am new to HAProxy.
>>
>> I am using Stunnel + Haproxy like described in the Architecture Manual
>> (section 3.1).
>
> Good ;-)
>
>> Everything works ok, but I need to force several pages to be only
>> served through HTTPS and never with HTTP (some forms with private
>> data, etc..).
>>
>> Until now, I did it with Apache RewriteRule and some PHP checks..
>
> you use the mod_php right?
> which php-checks do you use?
With "PHP checks" I meant that some pages (usually forms) check the URL
the are called by and IF the URL begins with "http://" then
automatically sends a "header('Location: https://www.example.com/');"
(note the httpS). This is a 2nd security measure, as there is an Apache
RewriteRule that executes firts and forces some directories to be only
accessed by https.
That is the old model used in a web platform configured with ultramonkey (ldirector)
The new model has to change because as using Stunnel to decrypt the traffic on the balancer the httpS traffic never ever will pass the balancer and reach the web servers (in fact, none of these serves in :443). If I put the Apache RewriteRules and/or the PHP http-https redirections, I get an infinite loop because the connection always returns by HTTP to the web server.
This is the case of a web application maintained by us, but there are many other webs that we don´t want to touch code, like phpmyadmin, etc.
I think we need a equivalent reqirep or rspirep, possibly cobined with an ACL to make flexible rules in order to express the next logic:
if requests contains domain "www.example.com" and url_path "/hireforms/" then replace "^http://" with "https://".
As you can see, I need to combine at least one and condition to check the domain plus the path because this new platform will host several domains and the http->https redirection has to be done only in some domain+path combinations.
Another aclaration, now I can access to: 1- http://www.example.com/hireform/step1.php 2- https://www.example.com/hireform/step1.php
The problem is that it must not to be possible to access by "1", but only by "2" and being automatically redirected to 2 if 1 was requested.
For all these things I said I think this is HAProxy's job to do this redirection.
I think it shouldn't be complicated but I spent some time playing with reqirep and rspirep and I didn't achieve the purpose.
Thank you very much for your help!! :)
Leo.-
>> Now, the Apache servers always receives HTTP and never HTTPS because
>> this is always handled by stunnel and forwarded as HTTP.
>
> The application must send the https-links to the client.
>
>> I figure that there is HAProxy's job in this case.
>
> Nope, it is better to tell the applicaton to send the https-links out,
> which Header/Variable/... checks the php backend?
>
> Aleks
>
Received on 2008/05/30 08:33
This archive was generated by hypermail 2.2.0 : 2008/05/30 08:46 CEST