Hello,
I'm a new haproxy user (using haproxy 1.5) and I'm running into a few
hitches.
I made a stats backend:
> backend bk_stats
> log global
> mode http
> stats enable
> stats uri /
> stats scope ft_submission
> stats scope bk_postfix
And because I wanted to have users authed by ssl client certificate, I
put some http-response add-header statements into the frontend for
debugging:
> frontend ft_stats
> log global
> mode http
> bind 131.159.42.4:443 ssl crt myserver.combined.key.pem ca-file mycafile.pem verify required no-sslv3 no-tlsv10 no-tlsv11
> http-response add-header X-SSL-Client-CN %[ssl_c_s_dn(cn)]
> http-response add-header X-SSL-Client-E %[ssl_c_s_dn(emailAddress)]
> http-response add-header X-SSL-Client-DN %[ssl_c_s_dn]
> acl cn_allowed ssl_c_s_dn(emailAddress) -f /etc/haproxy/haproxy_admins
> #acl cn_allowed always_true
> use_backend bk_ssl_error unless cn_allowed
> default_backend bk_stats
However, these headers won't show up in the response. They also won't
show up if I put the add-header statements into the backend. It seems
that "stats enable" disregards http-response lines. There is a "stats
http-request" option but that doesn't allow adding any headers.
As a workaround I just shimmed in another frontend and backend where I
put the http-request add-header lines. [1]
I believe that this is a bug, at least in the way that nothing in the
documentation hints that "http-request add-header" in a /frontend/ will
be ignored if the /backend/ has stats enabled. In fact, the
documentation for http-response [2] states
> Since these rules apply on responses, the backend
> rules are applied first, followed by the frontend's rules.
So whatever response the backend delivers to the frontend should have no
influence on the headers being added by the frontend.
Can anyone more experienced with haproxy tell me if this is really a bug
or if I am just doing something wrong?
Best regards,
Luke
[1] http://ix.io/kiO
[2]
https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-http-response
I'm a new haproxy user (using haproxy 1.5) and I'm running into a few
hitches.
I made a stats backend:
> backend bk_stats
> log global
> mode http
> stats enable
> stats uri /
> stats scope ft_submission
> stats scope bk_postfix
And because I wanted to have users authed by ssl client certificate, I
put some http-response add-header statements into the frontend for
debugging:
> frontend ft_stats
> log global
> mode http
> bind 131.159.42.4:443 ssl crt myserver.combined.key.pem ca-file mycafile.pem verify required no-sslv3 no-tlsv10 no-tlsv11
> http-response add-header X-SSL-Client-CN %[ssl_c_s_dn(cn)]
> http-response add-header X-SSL-Client-E %[ssl_c_s_dn(emailAddress)]
> http-response add-header X-SSL-Client-DN %[ssl_c_s_dn]
> acl cn_allowed ssl_c_s_dn(emailAddress) -f /etc/haproxy/haproxy_admins
> #acl cn_allowed always_true
> use_backend bk_ssl_error unless cn_allowed
> default_backend bk_stats
However, these headers won't show up in the response. They also won't
show up if I put the add-header statements into the backend. It seems
that "stats enable" disregards http-response lines. There is a "stats
http-request" option but that doesn't allow adding any headers.
As a workaround I just shimmed in another frontend and backend where I
put the http-request add-header lines. [1]
I believe that this is a bug, at least in the way that nothing in the
documentation hints that "http-request add-header" in a /frontend/ will
be ignored if the /backend/ has stats enabled. In fact, the
documentation for http-response [2] states
> Since these rules apply on responses, the backend
> rules are applied first, followed by the frontend's rules.
So whatever response the backend delivers to the frontend should have no
influence on the headers being added by the frontend.
Can anyone more experienced with haproxy tell me if this is really a bug
or if I am just doing something wrong?
Best regards,
Luke
[1] http://ix.io/kiO
[2]
https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4.2-http-response