我非常熟悉HTTP协议和一些HAProxy,但我以前从未真正搞砸过URL重写和重定向。现在,我有两个“简单的”HTTP重定向需求,我一直很难弄清楚。
https://appserver.example.com
重定向到https://appserver.example.com/myapp/webapp/?auth=saml
,以将用户指向saml
登录页面。https://appserver.example.com/?auth=standard
重定向到https://appserver.example.com/myapp/webapp/?auth=standard
第一项规定运作良好:
myuser:~ myuser$ curl -I https://appserver.example.com
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://appserver.example.com/myapp/webapp/?auth=saml
Connection: close
myuser:~ myuser$
但是我很难理解如何实现#2,正如我所想的,关键是添加一个acl
,然后在匹配acl
时添加另一个http-request redirect prefix
行。
acl is_auth_std path /?auth=standard
http-request redirect prefix /myapp/webapp/?auth=standard code 301 if is_auth_std
但显然这还不够。/?auth=standard
仍然重定向到假定的根URL:
myuser:~ myuser$ curl -I https://appserver.example.com/?auth=standard
HTTP/1.1 301 Moved Permanently
Content-length: 0
Location: https://appserver.example.com/myapp/webapp/?auth=saml
Connection: close
myuser:~ myuser$
以下是我的haproxy.cfg
文件的相关部分:
frontend myapp443-in
mode http
bind *:443 ssl crt /etc/haproxy/ssl/myapp.pem
default_backend myapp443-out
option forwardfor
timeout client 60m
timeout http-keep-alive 10s
timeout http-request 5s
timeout tarpit 60s
acl is_websocket path_beg /myapp/webapp/
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
acl is_root path /
capture request header Host len 64
http-request redirect scheme https code 301 if !{ ssl_fc }
http-request redirect code 301 location https://%[hdr(host)]/myapp/webapp/?auth=saml if is_root
acl is_auth_std path /?auth=standard
http-request redirect prefix /myapp/webapp/?auth=standard code 301 if is_auth_std
backend myapp443-out
cookie SRVID insert indirect nocache maxidle 30m maxlife 1h
option forwardfor
balance leastconn
option ssl-hello-chk
option httpchk GET /myapp/webapp/img/favicon.ico
http-check expect status 200
default-server inter 1s downinter 3s rise 15 fall 15
timeout check 1s
timeout server 60s
timeout tunnel 3600s
timeout queue 30s
timeout connect 5s
http-request add-header X-Forwarded-Proto https if { ssl_fc }
redirect scheme https if !{ ssl_fc }
http-response add-header Strict-Transport-Security max-age=31536000;\ includeSubdomains
http-response add-header X-Content-Type-Options nosniff
http-response add-header X-XSS-Protection 1;\ mode=block
http-response add-header Referrer-Policy no-referrer
http-response add-header Feature-Policy accelerometer\ 'none';\ ambient-light-sensor\ 'none';\ autoplay\ 'none';\ camera\ 'none';\ display-capture\ 'none';\ document-domain\ 'none';\ fullscreen\ 'none';\ execution-while-not-rendered\ 'none';\ execution-while-out-of-viewport\ 'none';\ gyroscope\ 'none';\ magnetometer\ 'none';\ microphone\ 'none';\ midi\ 'none';\ payment\ 'none';\ picture-in-picture\ 'none';\ publickey-credentials\ 'none';\ sync-xhr\ 'none';\ usb\ 'none';\ wake-lock\ 'none'
server appserver-01 appserver-01:8443 weight 5 check ssl verify none cookie s1
server appserver-02 appserver-02:8443 weight 5 check ssl verify none cookie s1
知道我错过了什么吗?
谢谢。
发布于 2020-06-04 13:42:00
您需要使用param来匹配查询字符串中的参数。
frontend myapp443-in
mode http
bind *:443 ssl crt /etc/haproxy/ssl/myapp.pem
option forwardfor
timeout client 60m
timeout http-keep-alive 10s
timeout http-request 5s
timeout tarpit 60s
# if not https => redirect, no need to check acls
http-request redirect scheme https code 301 if !{ ssl_fc }
acl is_websocket path_beg /myapp/webapp/
acl is_websocket hdr(Upgrade) -i WebSocket
acl is_websocket hdr_beg(Host) -i ws
acl is_root path /
acl is_not_auth_std url_param(auth) ! standard
acl is_not_auth_saml url_param(auth) ! saml
capture request header Host len 64
http-request redirect code 301 location https://%[hdr(host)]/myapp/webapp/?auth=standard if is_not_auth_std is_not_auth_saml
http-request redirect code 301 location https://%[hdr(host)]/myapp/webapp/?auth=saml if is_root
default_backend myapp443-out
重定向前缀附加一个您可能不想要的/
https://stackoverflow.com/questions/62195394
复制