Re: route !HTTP connections to tcp backend instead of dropping in HTTP mode

well, if your websocket traffic is encrypted, how do you want haproxy to read the headers????

Your last chance is to try to use dst_port acl to match websocket port or to use two separated frontend..

cheers

On Mon, Dec 12, 2011 at 10:10 AM, Lukasz Michalski <lm#zork.pl> wrote:
> On 12/12/2011 09:52 AM, Baptiste wrote:
>> Hi Lukasz,
>>
>> You must use stunnel in front of haproxy in order to be able to
>> inspect pure clear HTTP traffic.
>>
>> Concerning your HAProxy configuration, it's not fully accurate.
>> Please give a try to the configuration below:
>>
>> frontend
>>   mode tcp
>>   tcp-request inspect-delay 1s
>>   use_backend nodejs_flashpolicy_http if HTTP
>>   default_backend nodejs_flashpolicy
>>
>> backend nodejs_flashpolicy
>>   mode tcp
>>   server node1 localhost:10843 maxconn 2000 check
>>
>> backend nodejs_flashpolicy_http
>>   mode http
>>   option httplog
>>   server node1 localhost:10843 maxconn 2000 check
>>
>> cheers
>>
>
> Thanks for quick reply.
>
> I tried mode tcp on frontend but then I cannot route HTTP requests to my
> backends.
>
> This my current config:
>
> # Flash plugin will not send send <policy-file-request/>
> # on client connection if policy file can be requested
> # from the same host on port 843.
> # We cannot use different port here.
> frontend flash_policy
>  bind 0.0.0.0:843
>  mode tcp
>  default_backend nodejs_flashpolicy
>
> # Main frontend
> frontend proxy
>  bind 0.0.0.0:80
>  bind 0.0.0.0:8443
>  mode http
>  option httplog
>  maxconn 200000
>  timeout client 86400000
>
>  default_backend webapp
>
>  tcp-request content accept if !HTTP
>  tcp-request inspect-delay 1s
>  use_backend nodejs_flashpolicy_http if !HTTP
>  #use_backend nodejs_flashpolicy if !HTTP
>
>  #websockets
>  acl is_websocket path_beg /socket.io
>  acl is_websocket hdr(Upgrade) -i WebSocket
>  acl is_websocket hdr_beg(Host) -i ws
>  use_backend websocket if is_websocket
>
>
> backend webapp
>   mode http
>   option httplog
>   option httpclose
>   server cherrypy1 localhost:7000 check
>
> backend websocket
>  mode http
>  option httplog
>  timeout server 86400000
>  timeout queue 5000
>  timeout connect 86400000
>  option forwardfor
>  no option httpclose
>  option http-server-close
>  option forceclose
>  server node1 localhost:12000 maxconn 2000 check
>
> backend nodejs_flashpolicy
>  mode tcp
>  server node1 localhost:10843 maxconn 2000 check
>
> backend nodejs_flashpolicy_http
>  mode http
>  option httplog
>  server node1 localhost:10843 maxconn 2000 check
>
> I have to route http traffic to this two backends based on request path,
> host and HTTP headers.
>
> Additionally if !HTTP traffic is detected on proxy frontend I would like
> to route it to nodejs_flashpolicy.
>
> I tried tcp mode on frontend but it caused a random backend to be
> selected when valid HTTP request came in. Is it true that my acl's are
> ignored in tcp mode?
>
> Anyway, my websocket traffic is over SSL and I have to make this
> decision before SSL connection is terminated by stunnel, because flash
> plugin sends unencrypted xml data to port 443 if port 843 is not available.
>
> Thanks for your help,
> �ukasz
Received on 2011/12/12 19:17