OPNsense Forum

Archive => 18.1 Legacy Series => Topic started by: ikkeT on April 29, 2018, 08:05:53 pm

Title: haproxy regirep rules for path rewrite?
Post by: ikkeT on April 29, 2018, 08:05:53 pm
Hi,

how does one do things like this in GUI? So replacing path parts with regexp placements?

 reqirep  ^([^ :]*)\ /mirror/foo/(.*)     \1\ /\2


See sample here: https://www.haproxy.com/blog/howto-write-apache-proxypass-rules-in-haproxy/

Edit: describing a bit more:

So I want my external url to be rewritten by HAproxy for my internal server:

https:/my.com/myexturl/index.html?stuff=1
=>
http://foo.intranet/index.html?stuff=1

Like about this haproxy config:

    http-request set-header Host foo.intranet
    reqirep  ^([^ :]*)\ /myexturl/(.*)     \1\ /\2

    acl hdr_location res.hdr(Location) -m found
    rspirep ^Location:\ (https?://my.com(:[0-9]+)?)?/myexturl(/.*) Location:\ /\3 if hdr_location
    # ProxyPassReverseCookieDomain my.com foo.intranet
    acl hdr_set_cookie_dom res.hdr(Set-cookie) -m sub Domain= foo.intranet
    rspirep ^(Set-Cookie:.*)\ Domain=foo.intranet(.*) \1\ Domain=my.com\2 if hdr_set_cookie_dom
    # ProxyPassReverseCookieDomain / /myexturl/
    acl hdr_set_cookie_path res.hdr(Set-cookie) -m sub Path=
    rspirep ^(Set-Cookie:.*)\ Path=(.*) \1\ Path=/myexturl\2 if hdr_set_cookie_path

Now some of those I can find through menues, but e.g. the plain reqirep at the beginning I can't. How to do it via GUI?


Title: Re: haproxy regirep rules for path mangling?
Post by: ikkeT on April 29, 2018, 11:20:21 pm
Another question: How does one open ports from firewall for HA proxy?

So I try testing that with 8443 port. Now that it's not port to be forwarded (NAT) anywhere, OPNsense rules won't allow me adding that port for destination "WAN address". For some reason it just allows to pick from predefined port list (e.g. HTTP, FTP) but won't allow me write 8443 there. Which I have set HAproxy to bind to at 0.0.0.0.

Title: Re: haproxy regirep rules for path mangling?
Post by: ikkeT on May 01, 2018, 10:50:03 pm
Ok, the firewall opening was no issue afterall. Just had to do an alias for port 8443, as that seems to be the way to open custom ports.

But, how to create the rules with gui?
Title: Re: haproxy regirep rules for path rewrite?
Post by: ikkeT on May 06, 2018, 06:48:12 pm
Any ideas? I changed the topic name from mangling to rewrite as that seems to be better term for it. In a meanwhile I got Let's encrypt working, and a basic forward from port 443 without path change.

I have one IP. I'd like to catch all *:443 traffic, and based on domain, or URL point it to different services. So

Code: [Select]
1. https://foo.com/       -> WAN -> *:443 -> decrypt -> foo.intranet:80/
2. https://foo.com/bar -> WAN ->  *:443 -> decrypt -> bar.intranet:3000/
3. https://foo22.com/bar -> WAN ->  *:443 -> decrypt -> bar22.intranet:8080/

The basic first one works fine. But I don't find option to put both rules into one *:443 via GUI. I suppose I should rewrite the host and url both in incoming and outgoing traffic. I suppose I could install HAproxy, and manually write the haproxy.cnf, and start the service manually to avoid the GUI shortcomings. Or is there any other way?

Can there be several binds to *:443?

I am currently trying like this, it partly works already (tried to change names to english):


Code: [Select]
frontend default_ssl
    bind 0.0.0.0:443 name 0.0.0.0:443 ssl  crt-list /var/etc/haproxy/ssl/5aeeda9fd8e5e2.51517701.crtlist
    mode http
    option http-keep-alive
    #default_backend nextcloud_bep
    default_backend Grafana
    # tuning options
    timeout client 30s

    acl acl_nc hdr(host) -i nexctloud.my.com
    use_backend nextcloud_bep if acl_nc

    acl acl_5aeedb998d8044.83346815 path_beg -i /.well-known/acme-challenge/
    use_backend acme_challenge_backend if acl_5aeedb998d8044.83346815

    acl acl_home hdr(host) -i home.my.com
    acl acl_cauges path_beg -i /gauges
    use_backend Grafana if acl_home acl_gauges


backend Grafana
    # health checking is DISABLED
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    acl acl_5ae5eeecbbf009.46818008 hdr(host) -i home.my.com
    reqirep ^([^\ :]*)\ /gauges/(.*)     \1\ /\2
    http-request add-header X-Forwarded-For %[src]
    reqirep ^Host:\ home.my.com   Host:\ grafana.intranet:3000

    acl hdr_location res.hdr(Location) -m found
    rspirep ^Location:\ (https?://home.my.com(:[0-9]+)?)?/gauges(/.*) Location:\ /\3 if hdr_location
    rspirep ^

    http-request add-header X-Forwarded-For %[src] if acl_5ae5eeecbbf009.46818008
    server grafana grafana.intranet:3000

backend nextcloud_bep
    # health check: http_check
    option httpchk OPTIONS / HTTP/1.0
    mode http
    balance source
    # stickiness
    stick-table type ip size 50k expire 30m
    stick on src
    # tuning options
    timeout connect 30s
    timeout server 30s
    server nextcloud nc.intranet:8090 check inter 2s

Title: Re: haproxy regirep rules for path rewrite?
Post by: ikkeT on May 06, 2018, 11:37:01 pm
Pheeew... finally it's all coming together. The key was to make one frontend for 0.0.0.0:443, and then add rules there to point to different backends. Not several frontends for 0.0.0.0:443.

And to replace parts of the paths, one need to create rule with option pass through, like this:

Code: [Select]
    # ACTION: foobar_away
    http-request set-uri %[path,regsub(/bar/,/)] if acl_5aef6814c09b63.87584580


and have that in backendpool rules. I couldn't find another way to add it than pass-through option for rule.