How do you Mask URLs in HAProxy?

Question

Is there any way to do URL masking in HAProxy? I'd like to have a URL directing to my load balancer, i.e. www.example.com, redirect to another URL I have for another application. However, I'd like the user's browser to still display the original URL, (www.example.com). How would I go about this?

Why not just change where the DNS entry for `www.example.com` points? — GregL, Jun 16 '15 at 14:36
Thanks for the suggestion, but this will not work for our scenario. I should have been clearer. We need to redirect source domain.com to destination domain2.com/path using a load balancer (ADC), so we can't do this with DNS. But during this process we need the client browser to always show the source domain.com. Any other suggestions? — Grant, Jun 16 '15 at 14:51
Ah, well then that's a little different. You can certainly do it with HAProxy, but you'd need to point the DNS entries for `domain.com` to it, and then pass the requests to a backend for `domain2.com`. — GregL, Jun 16 '15 at 16:17
Thanks GregL, can you provide an example? Domain.com already points to the HAProxy. Domain2.com points to a different load balancer (we can't add Domain.com to it) and both domains need to exist on their own (one is not replacing the other), but Domain.com just needs to redirect to a path on Domain2.com. — Grant, Jun 16 '15 at 18:13
Based on your question, you don't want a redirect (that would change the URL in the address bar). You want to serve up `domain2.com/path` as though it were `domain.com` right? — GregL, Jun 16 '15 at 18:19
We do want a redirect. Address Bar URL should always say domain.com when going through the HAProxy. Path served up will look like domain.com/path, but on the backend it will be one of the servers behind domain2.com/path. — Grant, Jun 16 '15 at 19:41
Instead of doing URL masking, we realized we could do this easier by just doing a redirect on the backend when sending to a backend server. I will create a new Answer to show the code. — Grant, Jun 18 '15 at 16:53

score 0 · Answer 1 · answered Jun 16 '15 at 18:35

0

You can probably do this using reqrep.

frontend FE
  bind 10.10.10.10:80
  mode http

  acl is_domain.com hdr(host) -i domain.com
  use_backend BE:domain.com if is_domain.com

backend BE:domain.com
  mode http
  reqrep ^([^\ ]*)\ (.*) \1\ /path/\2
  server domain2.com:80

Though, you should probably put the IP that domain2.com resolves to in the server line so that you don't end up with weird behaviour.

answered Jun 16 '15 at 18:35

GregL

9,030
2
24
35

Thanks. We setup this configuration and we're getting directed to domain2.com/path, but the original domain.com name is not being retained. – Grant Jun 16 '15 at 19:50
You might then need to do a similar `rsprep` to fix the response headers. – GregL Jun 16 '15 at 21:31
Should the format look like the following, because it's not working and HAProxy document also says "req* statements are applied... before "use_backend" in order to permit rewriting before switching." which tells me that the "req*" statements are applied in the backend before "use_backend" is even run in the front end section, which doesn't seem logical to me. backend BE:domain.com reqirep ^([^\ ]*)\ (.*) \1\ /webapp/\2 rspirep ^([^\ ]*)\ (.*) \1\ /webapp/\2 server domain2.com:80 – Grant Jun 16 '15 at 22:04
I'd have to test it out. What happens if you leave the `reqrep` out of it? Do you get the `domain2.com` page as expected? – GregL Jun 16 '15 at 22:19
When 'reqrep' is commented out, I still get domain2.com, but I was getting that with 'regrep'. I wonder if something could be happening on the Apache2 side that's persisting domain2.com as we directly pass http://domain2.com to port 80 on its load balancer, but it redirects to https://domain2.com, which is also passed straight through the load balancer to port 443. With http://domain.com I'm also getting "502 Bad Gateway" (I think because of the redirect), but with https://domain.com I can at least load https://domain2.com without issue. Thanks – Grant Jun 17 '15 at 04:58
With `reqrep` commented out, you should be getting `domain2.com`'s content while the address bar in the browser remains as `domain.com`. Unless of course a redirect is happening somewhere along the line that causes the browser to go directly to `domain2.com`. Have you tried using something like Wireshark or the developper tools in a browser to see what's happening during the browsing session? – GregL Jun 17 '15 at 11:50
Still doesn't work. Instead HAProxy just needs to add the path I want to domain.com and send that traffic to a backend server, which simplifies what the user was requesting. Problem is, I'm not able to get this working either. IE says "This page can't be displayed". http frontend runs "acl is_test.domain.com hdr(host) -i test.domain.com" and then "use_backend Domain.com if is_test.domain.com". https frontend runs "use_backend Domain.com if { ssl_fc_sni -i test.domain.com }". Backend is "timeout server 600000, balance roundrobin, server SERVERNAME 172.16.1.1:80 check". Is anything wrong? – Grant Jun 17 '15 at 15:33
Chrome is reporting a redirect loop. Browser Developer Tools are just showing me the page that results which doesn't appear to have much unless I need to look at a specific Developer Tools section. Trying to figure out how to use Wireshark for this issue. – Grant Jun 17 '15 at 16:16
I went through the HAProxy config file and made sure everything was set properly and re-enabled the "reqrep" line and we're now getting directed to the web page, except we don't see the path in the Browser Address Bar, but we do see "test1.domain.com/#/". Any ideas? For Wireshark I see the public IP of the load balancer and when I right-click that and select "Follow TCP stream", I only show 9 packets and only 1 has a "Hypertext Transfer Protocol" section and is only showing an attempt to load an image (not sure if this is an error, but I see 2 images not loading, although other images load). – Grant Jun 17 '15 at 16:54
Can you update the original question with your current configs and all the most specific details about the environment; I'm having a hard time reading and following where things are at in the comments. The tab that I was thinking of in Chrome's Developer Tools is *Network*, where you can see each resource being requested, along with both request and response headers. It will let you see what's happening, at least between the browser and HAProxy. – GregL Jun 17 '15 at 18:00

score 0 · Accepted Answer · answered Jun 18 '15 at 17:07

Instead of doing URL masking, we realized we could do this easier by just doing a redirect on the backend when sending to a backend server. I don't know if this is ideal, but it accomplished our objective so-far. Here's the code:

frontend http_in

    ...
    acl is_test1.domain.com hdr(host) -i test1.domain.com                                        # Host & Domain only check.
    acl is_path_null path /                                                                                        # No path check
    use_backend domain.com.nopath if is_test1.domain.com is_path_null                   # If Host & Domain matches and path is null.
    use_backend domain.com.path if is_test1.domain.com !is_path_null                      # If Host & Domain matches and path is not null.

frontend https_in

    ...
    acl is_path_null path /                                                                                        # No path check
    use_backend domain.com.nopath if { ssl_fc_sni -i test1.domain.com } is_path_null # If Host & Domain matches and path is null.
    use_backend domain.com.path if { ssl_fc_sni -i test1.domain.com } !is_path_null    # If Host & Domain matches and path is not null.

backend domain.com.nopath

    ...
    server SERVER IP#:80 redir https://test1.domain.com/webapp check

backend domain.com.path

    ...
    server SERVER IP#:80 check

How do you Mask URLs in HAProxy?

2 Answers2