HAProxy dynamic server address based off of header value

haproxynetworkingPROXYreverse-proxy

Hello I'm attempting to route traffic back to a users machine in order to run a site locally but picking up the headers/cookies/routing logic for other origins that HAProxy supplies. Thus far though I have not been able to figure out how to do this. The documentation says that use of environment variables are usable https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#4-server

Any part of the address string may reference any number of
environment variables by preceding their name with a dollar
sign ('$') and optionally enclosing them with braces ('{}'),
similarly to what is done in Bourne shell.

but I would imagine there is a way of using an acl or sample fetch but for the life of me I cannot figure out how to. Below is an example of one thing that I've tried. I have done a proof of concept by removing ${hdr(originalIp)} and using my IP but I want it to dynamically use the requesters IP if the cookie is present

### Sample config
acl has_local_cookie cook_sub(local) -i true
use_backend local    if has_local_cookie
backend local
server local-origin ${hdr(originalIp)}:443 ssl verify none

Best Answer

The problem with what you're trying is that it you're treating the entire configuration as though it were constantly being parsed and interpreted at runtime, which of course is not the case.

Certain arguments to the various directives are static, others dynamic, but server declarations are most definitely static. A server represents exactly one target address, not a different address per request.

You will need to configure a back-end for each developer, or you could put them all in one back-end, backend local with a single server declaration for each developer, server dev-1 192.168.1.1:80 ..., server dev-2 ..., etc.

Then use_backend local if { cook_sub(local) -i true }.

Then in the backend add a use-server to match the server names to the source IP use-server dev-1 if { src 192.168.1.1 } for each developer.

Note that { ... } is an anonymous ACL, a much cleaner (imho) way of testing simple conditions, particularly when the conditions are only evaluated in one place in the config. If you're testing the same condition in multiple places, named ACLs are better because they are only edited in one place, so you don't have to update them in multiple places like you would if you copy-pasted the same anonymous ACL around the config.

Related Solutions

Rewrite request URI based on Host header in HAProxy

You can attempt to do this using the "redirect" option in HAProxy.

redirect prefix http://server1/domains/

However, it is a redirect, so it will not be transparent.

I do not believe HAProxy can rewrite URLs transparently (on their way to the backend servers).

Dynamic Backends with HAProxy

The easiest solution would be just use DNS to map foo.cust.mydomain.example to a specific server IP, as womble suggested. This would skip the entire proxy server. Perhaps this is not possible for you, for example if you do not have public IP addresses for the backend servers.

Directing all requests to one server (with a wildcard DNS) and then forwarding the requests dynamically according to the Host header is a bit more complicated, and it seems HAProxy cannot do this, because every backend server must be explicitly defined in HAProxy configuration.

Nginx, though, is different, with right configuration Nginx can use Host header to choose the backend. Nginx needs a DNS server that maps names to backend addresses, of course.

Here is a small example of the configuration:

server {
    listen 80 default;

    location / {
        # You might need to send some headers to the backend server
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;

        resolver 192.0.2.1; # DNS server IP
        # Forward all requests to the backend server using $http_host
        # (this is the 'Host:' header value)
        proxy_pass http://$http_host$request_uri;
    }
}

This redirects http://myserver.cust.mydomain.example/foo/ to http://myserver.cust.mydomain.example/foo/. Does not seem very helpful at first sight. But if you set up a private DNS server that maps those names to a backend server addresses, the request actually gets forwarded to a correct backend server on a private address.

But, this kind of DNS server setting might not be desired, and could cause problems in some cases. So, with some additions to the Nginx config, we can take another approach:

location / {
    # headers...

    resolver 192.0.2.1;

    # A regex to get the first part (hostname) from the Host header
    if ($http_host ~* "([a-z0-9-]+)(\.[a-z0-9-]+)*") {
        # Save a captured part from the regex to a variable
        set $redirect_hostname $1;
        # Pass the request to a desired backend
        proxy_pass   http://$redirect_hostname.private.mydomain.example$request_uri;
    }
}

Now redirect goes from http://myserver.cust.mydomain.example/foo/ to http://myserver.private.mydomain.example/foo/. The DNS server can hold private addresses under different domain, and proxy_pass directive can be modified to match the desired name server configuration.

I still think this kind of proxying might not be the easiest way to solve the whole picture, but it's one possibility after all. I'm happy if this was of any help.

References: Nginx Wiki, especially HttpProxyModule and HttpRewriteModule

Best Answer

Related Solutions

Rewrite request URI based on Host header in HAProxy

Dynamic Backends with HAProxy

Related Topic