Les*_*ter 7 url url-rewriting haproxy
我对 HTTP 协议和一点点 HAProxy 非常熟悉,但我以前从未真正搞过 URL 重写和重定向。现在,我有 2 个“简单”的 HTTP 重定向要求,我一直很难弄清楚。
https://appserver.example.com应重定向到https://appserver.example.com/myapp/webapp/?auth=saml将用户指向saml登录页面。https://appserver.example.com/?auth=standard应该重定向到https://appserver.example.com/myapp/webapp/?auth=standard要求 1 工作正常:
myuser:~ myuser$ curl -I https://appserver.example.com
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://appserver.example.com/myapp/webapp/?auth=saml
Connection: close
myuser:~ myuser$
但我在如何实施#2 上遇到了困难。正如我所想,关键是添加一个acl,然后在匹配http-request redirect prefix时添加另一行。acl
acl is_auth_std path /?auth=standard
http-request redirect prefix /myapp/webapp/?auth=standard code 301 if is_auth_std
但显然这还不够。/?auth=standard仍然重定向到假定的根 URL:
myuser:~ myuser$ curl -I https://appserver.example.com/?auth=standard
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://appserver.example.com/myapp/webapp/?auth=saml
Connection: close
myuser:~ myuser$
这些是我的文件的相关部分haproxy.cfg:
frontend myapp443-in
mode http
bind *:443 ssl crt /etc/haproxy/ssl/myapp.pem
default_backend myapp443-out
option forwardfor
timeout client 60m
timeout http-keep-alive 10s
timeout http-request 5s
timeout tarpit 60s
acl is_websocket path_beg /myapp/webapp/
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
acl is_root path /
capture request header Host len 64
http-request redirect scheme https code 301 if !{ ssl_fc }
http-request redirect code 301 location https://%[hdr(host)]/myapp/webapp/?auth=saml if is_root
acl is_auth_std path /?auth=standard
http-request redirect prefix /myapp/webapp/?auth=standard code 301 if is_auth_std
backend myapp443-out
cookie SRVID insert indirect nocache maxidle 30m maxlife 1h
option forwardfor
balance leastconn
option ssl-hello-chk
option httpchk GET /myapp/webapp/img/favicon.ico
http-check expect status 200
default-server inter 1s downinter 3s rise 15 fall 15
timeout check 1s
timeout server 60s
timeout tunnel 3600s
timeout queue 30s
timeout connect 5s
http-request add-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https if !{ ssl_fc }
http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubdomains
http-response add-header X-Content-Type-Options nosniff
http-response add-header X-XSS-Protection 1;\ mode=block
http-response add-header Referrer-Policy no-referrer
http-response add-header Feature-Policy accelerometer\ 'none';\ ambient-light-sensor\ 'none';\ autoplay\ 'none';\ camera\ 'none';\ display-capture\ 'none';\ document-domain\ 'none';\ fullscreen\ 'none';\ execution-while-not-rendered\ 'none';\ execution-while-out-of-viewport\ 'none';\ gyroscope\ 'none';\ magnetometer\ 'none';\ microphone\ 'none';\ midi\ 'none';\ payment\ 'none';\ picture-in-picture\ 'none';\ publickey-credentials\ 'none';\ sync-xhr\ 'none';\ usb\ 'none';\ wake-lock\ 'none'
server appserver-01 appserver-01:8443 weight 5 check ssl verify none cookie s1
server appserver-02 appserver-02:8443 weight 5 check ssl verify none cookie s1
我缺少什么想法吗?
谢谢。
您将需要使用url_param来匹配查询字符串中的参数。
frontend myapp443-in
mode http
bind *:443 ssl crt /etc/haproxy/ssl/myapp.pem
option forwardfor
timeout client 60m
timeout http-keep-alive 10s
timeout http-request 5s
timeout tarpit 60s
# if not https => redirect, no need to check acls
http-request redirect scheme https code 301 if !{ ssl_fc }
acl is_websocket path_beg /myapp/webapp/
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
acl is_root path /
acl is_not_auth_std url_param(auth) ! standard
acl is_not_auth_saml url_param(auth) ! saml
capture request header Host len 64
http-request redirect code 301 location https://%[hdr(host)]/myapp/webapp/?auth=standard if is_not_auth_std is_not_auth_saml
http-request redirect code 301 location https://%[hdr(host)]/myapp/webapp/?auth=saml if is_root
default_backend myapp443-out
重定向前缀附加一个/你可能不想要的