通过haproxy进行的JAX-WS Web服务调用引发错误411长度要求

时间:2018-09-10 19:45:27

标签: jax-ws haproxy http-proxy chunked transfer-encoding

我必须将本地服务重新定位到另一个IP地址,并添加了HAproxy来处理请求。 我的问题是我的客户端尝试使用Transfer-encoding:分块发送请求。如果使用此设置,则会收到错误411。 HAProxy在SSL终止模式下工作。 如果客户端(在JAX-WS客户端和HAproxy之间)没有使用代理,则连接正常,但是如果它们之间没有代理,则连接失败,错误411。 我有两个不同的客户。其中一个使用McAfee Web Gateway,另一个使用Squid 2.7。两个代理都需要认证。 我尝试了不同版本的HAProxy,Tomcat,JRE,但没有成功。

场景看起来像这样。

**Old config:**

JAX-WS client request 
   |
( Proxy ) 
   |
router with public ip (port 8442 for http and 8443 for https)
   |
NATed JAX-WS endpoint running in Tomcat container 192.168.1.242:8080

**New config:**

  JAX-WS client request 
       |
(Proxy with or without authentication)
       |
  Router with public ip 
       | 
       | 
|----------- IPSec tunnel-----------------------------------------------------|
| 192.168.91.246                  192.168.1.242:8080                          |
| HAProxy (NATed) --------------- JAX-WS endpoint running in tomcat container |
|-----------------------------------------------------------------------------|


**A failed POST request:**

POST /ddc/ddcService HTTP/1.1
Accept: text/xml, multipart/related
Authorization: Basic xxxxxxxxxxxxxxxxxxxxxxx=
Content-Type: multipart/related;start="<rootpart*b440d52f-dee1-4735-9ff5-6093fa9d774b@example.jaxws.sun.com>";type="application/xop+xml";boundary="uuid:b440d52f-dee1-4735-9ff5-6093fa9d774b";start-info="text/xml"
SOAPAction: ""
User-Agent: JAX-WS RI 2.2.6-1b01  svn-revision#13094
Host: ddc.zzzz.com
Proxy-Connection: keep-alive
Transfer-Encoding: chunked



**HAproxy config:**

global
    log /dev/log    local0
    log /dev/log    local1 notice info
    debug
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin
    stats timeout 30s
    stats bind-process 7
    user haproxy
    group haproxy
    daemon
    nbproc 7
    tune.bufsize 32768
    tune.ssl.default-dh-param 2048
    ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL
    ssl-default-bind-options no-sslv3

defaults
    log global
    mode    http
    bind-process 3
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    option  httpclose
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http
    option forwardfor except 127.0.0.1
    option tcp-smart-connect


frontend incoming

    bind *:8080 name http
    bind *:4443 ssl  crt /etc/letsencrypt/live/ddc.xxx.com/fullchain.pem.bundle 
    option forwardfor header X-Real-IP
    use_backend  ddc if ddc

backend ddc
    option forwardfor
    mode http
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request replace-header Host ^(.*?)(:[0-9]+)?$ \1
    server ddc 192.168.1.242:8080 check port 8080


0 个答案:

没有答案