-
-
Save xelwarto/ac4f8b43e4194355082c to your computer and use it in GitHub Desktop.
global | |
chroot /var/lib/haproxy | |
crt-base /etc/pki/tls/certs | |
daemon | |
group haproxy | |
log 127.0.0.1 local0 | |
maxconn 2000 | |
pidfile /var/run/haproxy.pid | |
stats socket /var/lib/haproxy/stats | |
tune.ssl.default-dh-param 2048 | |
user haproxy | |
defaults | |
log global | |
maxconn 2000 | |
mode http | |
option redispatch | |
option forwardfor | |
option http-server-close | |
retries 3 | |
timeout http-request 10s | |
timeout queue 1m | |
timeout connect 10s | |
timeout client 1m | |
timeout server 1m | |
timeout check 10s | |
frontend jenkins | |
bind *:443 no-sslv3 ssl crt jenkins-ci.cert | |
bind *:80 | |
default_backend jenkins-mstr | |
redirect location https://jenkins.my.domain/ if !{ ssl_fc } | |
reqadd X-Forwarded-Proto:\ http | |
backend jenkins-mstr | |
balance roundrobin | |
http-request set-header Host 127.0.0.1:8080 | |
reqirep ^([^\ \t:]*:)\ https://jenkins.my.domain/(.*) \1\ http://127.0.0.1:8080/\2 | |
rspirep ^([^\ \t:]*:)\ http://127.0.0.1:8080/(.*) \1\ https://jenkins.my.domain/\2 | |
server jenkins01 127.0.0.1:8080 check |
Works great. Thanks.
Thanks a lot! Works great.
I think it would be more scalable to just add the 'X-Forwarded-Proto' in backend,for instance:
backend jenkins_server
http-request set-header Host 127.0.0.1:8080
reqirep ^([^\ \t:]*:)\ https://my.domain/(.*) \1\ http://127.0.0.1:8080/\2
reqadd X-Forwarded-Proto:\ http
rspirep ^([^\ \t:]*:)\ http://127.0.0.1:8080/(.*) \1\ https://my.domain/\2
server local_jenkins 127.0.0.1:8080 check
Thanks works great. FYI in AWS you can retrieve public domain name (if auto assigned on subnet) by running:
wget -q -O - http://169.254.169.254/latest/meta-data/public-hostname
can anyone give any detailed explanation of the whys to this for me? I'm working on doing this same setup but currently I have cloudfront in front of haproxy (because cloudfront can't set X-Forwarded-Proto) (which is only doing http, at this time), and I have jenkins on a different (docker) server than haproxy. So i'm not sure how to translate this config, I don't understand why reqadd X-Forwarded-Proto:\ http
instead of https if things are being accessed as https. I don't understand if the server is returning https urls why we need to translate them back to http. Jenkins is mostly working for me, except when I log in, I see hte login form with the nav to the left, instead of the dashboard. I do also get the warning about the proxy not being set up right, but I'm not sure where this is falling down, which thing does this mean is wrong (sadly the jenkins wiki doesn't seem to document the transformations that need to be accomplished and why, but rather exactly what to do with software X that can do them)
What I came up with so far is this
defaults
mode http
retries 3
timeout connect 120s
timeout client 60s
timeout server 60s
resolvers docker
nameserver dns "127.0.0.11:53"
frontend web
bind *:8080
default_backend jenkins
backend jenkins
cookie SERVERID insert indirect nocache
server jenkins jenkins:8080 check cookie s1 resolvers docker resolve-prefer ipv4
acl h_cfp_exists req.hdr(CloudFront-Forwarded-Proto) -m found
acl response-is-redirect res.hdr(Location) -m found
http-request set-header X-Forwarded-Proto https if h_cfp_exists
http-response replace-value Location ^http:\/\/(.*) https://\2 if response-is-redirect```
These configurations dont work in haproxy 2.5 version. Any help?
I would as well appreciate a sample configuration for HAProxy 2.2
@MAnasKhalid and @persus - I appreciate your feedback, however it has been a long while since I have worked with this and if this config is no longer relevant, I may just remove it. I am not sure if I will have the time but I may try to replicate the issue you reported; can you provide details on your setup ... software versions, setup, configurations, etc.
I'm running HAProxy 2.2 on a Debian 11 server as reverse proxy (HA-Proxy version 2.2.9-2+deb11u3 2022/03/10).
Behind it I'm running Jenkins 2.332.3 on another Debian 11 server.
The goal is to get Jenkins accessible via a subdomain (e.g. https://jenkins.example.com).
The SSL-configuraiton is valid since it works for other services quite well.
This is my standard frontend config of HAProxy
frontend https
# Binds
bind *:80
bind *:443 ssl crt /etc/ssl/private/example.com.cert.pem
redirect scheme https code 301 if !{ ssl_fc }
# Mode
mode http
option http-server-close
http-request set-header X-Forwarded-For %[src]
use_backend jenkins_srvc if { hdr(host) -i jenkins.example.com }
And now I'm struggling to get the backend configuration working
Thank you very much in advance
Oh I found it. Here is the proper backend configuration for the frontend configuration I posted above:
backend jenkins_srvc
option forwardfor
mode http
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
http-request set-header X-Forwarded-Host %[req.hdr(Host)]
server cicd01 10.1.1.39:8080 check
There are many examples of how to use Apache as a reverse proxy for Jenkins though examples of using haproxy are limited and not complete ... this is a configuration for haproxy that works well with Jeninks.
This haproxy configuration fixes proxy issues reported in Jenkins setup: https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+says+my+reverse+proxy+setup+is+broken