我对HTTP协议和HAProxy有点熟悉,但是我以前从未真正搞过URL重写和重定向。现在,我有2个“简单的” HTTP重定向要求,这些要求我很难解决。
https://appserver.example.com应该重定向到https://appserver.example.com/myapp/webapp/?auth=saml,以将用户指向saml登录页面。https://appserver.example.com/?auth=standard应该重定向到https://appserver.example.com/myapp/webapp/?auth=standard 要求1正常运行:
myuser:~ myuser$ curl -I https://appserver.example.com
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://appserver.example.com/myapp/webapp/?auth=saml
Connection: close
myuser:~ myuser$
但是我在实现#2方面遇到了困难。如我所想,此操作的关键是添加一个acl,然后在匹配http-request redirect prefix时添加另外一个acl行。
acl is_auth_std path /?auth=standard
http-request redirect prefix /myapp/webapp/?auth=standard code 301 if is_auth_std
但是显然这还不够。 /?auth=standard仍重定向到假定的根URL:
myuser:~ myuser$ curl -I https://appserver.example.com/?auth=standard
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://appserver.example.com/myapp/webapp/?auth=saml
Connection: close
myuser:~ myuser$
这些是我的haproxy.cfg文件的相关部分:
frontend myapp443-in
mode http
bind *:443 ssl crt /etc/haproxy/ssl/myapp.pem
default_backend myapp443-out
option forwardfor
timeout client 60m
timeout http-keep-alive 10s
timeout http-request 5s
timeout tarpit 60s
acl is_websocket path_beg /myapp/webapp/
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
acl is_root path /
capture request header Host len 64
http-request redirect scheme https code 301 if !{ ssl_fc }
http-request redirect code 301 location https://%[hdr(host)]/myapp/webapp/?auth=saml if is_root
acl is_auth_std path /?auth=standard
http-request redirect prefix /myapp/webapp/?auth=standard code 301 if is_auth_std
backend myapp443-out
cookie SRVID insert indirect nocache maxidle 30m maxlife 1h
option forwardfor
balance leastconn
option ssl-hello-chk
option httpchk GET /myapp/webapp/img/favicon.ico
http-check expect status 200
default-server inter 1s downinter 3s rise 15 fall 15
timeout check 1s
timeout server 60s
timeout tunnel 3600s
timeout queue 30s
timeout connect 5s
http-request add-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https if !{ ssl_fc }
http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubdomains
http-response add-header X-Content-Type-Options nosniff
http-response add-header X-XSS-Protection 1;\ mode=block
http-response add-header Referrer-Policy no-referrer
http-response add-header Feature-Policy accelerometer\ 'none';\ ambient-light-sensor\ 'none';\ autoplay\ 'none';\ camera\ 'none';\ display-capture\ 'none';\ document-domain\ 'none';\ fullscreen\ 'none';\ execution-while-not-rendered\ 'none';\ execution-while-out-of-viewport\ 'none';\ gyroscope\ 'none';\ magnetometer\ 'none';\ microphone\ 'none';\ midi\ 'none';\ payment\ 'none';\ picture-in-picture\ 'none';\ publickey-credentials\ 'none';\ sync-xhr\ 'none';\ usb\ 'none';\ wake-lock\ 'none'
server appserver-01 appserver-01:8443 weight 5 check ssl verify none cookie s1
server appserver-02 appserver-02:8443 weight 5 check ssl verify none cookie s1
有什么想法我想念的吗?
谢谢。
答案 0 :(得分:1)
您将需要使用url_param来匹配查询字符串中的参数。
frontend myapp443-in
mode http
bind *:443 ssl crt /etc/haproxy/ssl/myapp.pem
option forwardfor
timeout client 60m
timeout http-keep-alive 10s
timeout http-request 5s
timeout tarpit 60s
# if not https => redirect, no need to check acls
http-request redirect scheme https code 301 if !{ ssl_fc }
acl is_websocket path_beg /myapp/webapp/
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
acl is_root path /
acl is_not_auth_std url_param(auth) ! standard
acl is_not_auth_saml url_param(auth) ! saml
capture request header Host len 64
http-request redirect code 301 location https://%[hdr(host)]/myapp/webapp/?auth=standard if is_not_auth_std is_not_auth_saml
http-request redirect code 301 location https://%[hdr(host)]/myapp/webapp/?auth=saml if is_root
default_backend myapp443-out
redirect prefix附加您可能不想要的/