How do you Mask URLs in HAProxy?
6,817
Instead of doing URL masking, we realized we could do this easier by just doing a redirect on the backend when sending to a backend server. I don't know if this is ideal, but it accomplished our objective so-far. Here's the code:
frontend http_in
...
acl is_test1.domain.com hdr(host) -i test1.domain.com # Host & Domain only check.
acl is_path_null path / # No path check
use_backend domain.com.nopath if is_test1.domain.com is_path_null # If Host & Domain matches and path is null.
use_backend domain.com.path if is_test1.domain.com !is_path_null # If Host & Domain matches and path is not null.
frontend https_in
...
acl is_path_null path / # No path check
use_backend domain.com.nopath if { ssl_fc_sni -i test1.domain.com } is_path_null # If Host & Domain matches and path is null.
use_backend domain.com.path if { ssl_fc_sni -i test1.domain.com } !is_path_null # If Host & Domain matches and path is not null.
backend domain.com.nopath
...
server SERVER IP#:80 redir https://test1.domain.com/webapp check
backend domain.com.path
...
server SERVER IP#:80 check
Related videos on Youtube
09 : 21
Mask URLs using PHP Hashid in Laravel
06 : 02
The Essentials of an HAProxy Configuration File
05 : 50
How To Mask Your URL With Custom Domain (2018).
07 : 19
Hide URL Extension or URL Masking
04 : 34
HAProxy Access Control Lists
02 : 18
DevOps & SysAdmins: How do you Mask URLs in HAProxy? (2 Solutions!!)
Comments
-
Grant over 1 year
Is there any way to do URL masking in HAProxy? I'd like to have a URL directing to my load balancer, i.e. www.example.com, redirect to another URL I have for another application. However, I'd like the user's browser to still display the original URL, (www.example.com). How would I go about this?
-
GregL almost 9 yearsWhy not just change where the DNS entry forwww.example.compoints? -
Grant almost 9 yearsThanks for the suggestion, but this will not work for our scenario. I should have been clearer. We need to redirect source domain.com to destination domain2.com/path using a load balancer (ADC), so we can't do this with DNS. But during this process we need the client browser to always show the source domain.com. Any other suggestions?
-
GregL almost 9 yearsAh, well then that's a little different. You can certainly do it with HAProxy, but you'd need to point the DNS entries for
domain.comto it, and then pass the requests to a backend fordomain2.com. -
Grant almost 9 yearsThanks GregL, can you provide an example? Domain.com already points to the HAProxy. Domain2.com points to a different load balancer (we can't add Domain.com to it) and both domains need to exist on their own (one is not replacing the other), but Domain.com just needs to redirect to a path on Domain2.com.
-
GregL almost 9 yearsBased on your question, you don't want a redirect (that would change the URL in the address bar). You want to serve up
domain2.com/pathas though it weredomain.comright? -
Grant almost 9 yearsWe do want a redirect. Address Bar URL should always say domain.com when going through the HAProxy. Path served up will look like domain.com/path, but on the backend it will be one of the servers behind domain2.com/path.
-
Grant almost 9 yearsInstead of doing URL masking, we realized we could do this easier by just doing a redirect on the backend when sending to a backend server. I will create a new Answer to show the code.
-
-
Grant almost 9 yearsThanks. We setup this configuration and we're getting directed to domain2.com/path, but the original domain.com name is not being retained.
-
GregL almost 9 yearsYou might then need to do a similar
rsprepto fix the response headers. -
Grant almost 9 yearsShould the format look like the following, because it's not working and HAProxy document also says "req* statements are applied... before "use_backend" in order to permit rewriting before switching." which tells me that the "req*" statements are applied in the backend before "use_backend" is even run in the front end section, which doesn't seem logical to me. backend BE:domain.com reqirep ^([^\ ]*)\ (.*) \1\ /webapp/\2 rspirep ^([^\ ]*)\ (.*) \1\ /webapp/\2 server domain2.com:80
-
GregL almost 9 yearsI'd have to test it out. What happens if you leave the
reqrepout of it? Do you get thedomain2.compage as expected? -
Grant almost 9 yearsWhen 'reqrep' is commented out, I still get domain2.com, but I was getting that with 'regrep'. I wonder if something could be happening on the Apache2 side that's persisting domain2.com as we directly pass domain2.com to port 80 on its load balancer, but it redirects to domain2.com, which is also passed straight through the load balancer to port 443. With domain.com I'm also getting "502 Bad Gateway" (I think because of the redirect), but with domain.com I can at least load domain2.com without issue. Thanks
-
Grant almost 9 yearsStill doesn't work. Instead HAProxy just needs to add the path I want to domain.com and send that traffic to a backend server, which simplifies what the user was requesting. Problem is, I'm not able to get this working either. IE says "This page can't be displayed". http frontend runs "acl is_test.domain.com hdr(host) -i test.domain.com" and then "use_backend Domain.com if is_test.domain.com". https frontend runs "use_backend Domain.com if { ssl_fc_sni -i test.domain.com }". Backend is "timeout server 600000, balance roundrobin, server SERVERNAME 172.16.1.1:80 check". Is anything wrong?
-
Grant almost 9 yearsChrome is reporting a redirect loop. Browser Developer Tools are just showing me the page that results which doesn't appear to have much unless I need to look at a specific Developer Tools section. Trying to figure out how to use Wireshark for this issue.
-
Grant almost 9 yearsI went through the HAProxy config file and made sure everything was set properly and re-enabled the "reqrep" line and we're now getting directed to the web page, except we don't see the path in the Browser Address Bar, but we do see "test1.domain.com/#/". Any ideas? For Wireshark I see the public IP of the load balancer and when I right-click that and select "Follow TCP stream", I only show 9 packets and only 1 has a "Hypertext Transfer Protocol" section and is only showing an attempt to load an image (not sure if this is an error, but I see 2 images not loading, although other images load).
-
GregL almost 9 yearsCan you update the original question with your current configs and all the most specific details about the environment; I'm having a hard time reading and following where things are at in the comments. The tab that I was thinking of in Chrome's Developer Tools is Network, where you can see each resource being requested, along with both request and response headers. It will let you see what's happening, at least between the browser and HAProxy.