New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use_backend seems to get prio…? #2

Closed
hedefalk opened this Issue Dec 29, 2015 · 6 comments

Comments

Projects
None yet
3 participants
@hedefalk

hedefalk commented Dec 29, 2015

I'm back at trying to set up letsencrypt how I want it. The issue I'm having now is that for the only site I'm allowing http I'm using "use_backend" on the same frontend as the plugin is used. But that seems to interfer with this plugin and gets prio. So for the below http config, there's no problem for the redirected subdomains, but blog.woodenstake.se fails:

frontend http
    mode http
    bind *:80
    option httplog

    stats enable
    stats hide-version
    stats realm Haproxy\ Statistics
    stats uri /haproxy
    stats auth viktor:8203101418

    # Letsencrypt: https://github.com/janeczku/haproxy-acme-validation-plugin
    acl url_acme_http01 path_beg /.well-known/acme-challenge/
    http-request use-service lua.acme-http01 if METH_GET url_acme_http01

    redirect scheme https code 301 if { hdr(Host) -i repo.woodenstake.se } !{ ssl_fc }
    redirect scheme https code 301 if { hdr(Host) -i jenkins.woodenstake.se } !{ ssl_fc }

   use_backend ghost if { hdr(host) -i blog.woodenstake.se }
Running with virtualenv: /home/viktor/.local/share/letsencrypt/bin/letsencrypt certonly --text --webroot --webroot-path /var/lib/haproxy --renew-by-default --agree-tos --email hedefalk@gmail.com -d jenkins.woodenstake.se -d jenkins-nas.woodenstake.se -d repo.woodenstake.se -d blog.woodenstake.se -d transmission.woodenstake.se -d uniplybeta.woodenstake.se -d crm.woodenstake.se --test-cert --break-my-certs
Failed authorization procedure. blog.woodenstake.se (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://blog.woodenstake.se/.well-known/acme-challenge/Y4CpPlqq14aONp7Wr6nXcHR2ZGa_3dEtWf49GEzdank [89.253.88.3]: 400

Any idea?

@hedefalk

This comment has been minimized.

hedefalk commented Dec 29, 2015

So to be clear: commenting out use_backend ghost if { hdr(host) -i blog.woodenstake.se } validation goes through.

@hedefalk

This comment has been minimized.

hedefalk commented Dec 29, 2015

Oh, I could just make a conjunctive acl:

 acl url_acme_challenge path_beg /.well-known/acme-challenge/
    http-request use-service lua.acme-http01 if METH_GET url_acme_challenge

    redirect scheme https code 301 if { hdr(Host) -i repo.woodenstake.se } !{ ssl_fc }
    redirect scheme https code 301 if { hdr(Host) -i jenkins.woodenstake.se } !{ ssl_fc }

    acl host_blog hdr(host) -i blog.woodenstake.se

    use_backend ghost if host_blog !url_acme_challenge

Still struggling with haproxys config language :)

@hedefalk hedefalk closed this Dec 29, 2015

@hedefalk

This comment has been minimized.

hedefalk commented Dec 29, 2015

But I wonder why the redirects doesn't bite here though? The validation works for those domains too…

@janeczku

This comment has been minimized.

Owner

janeczku commented Dec 29, 2015

@hedefalk
The use_backend taking precedence over http-request use-service is very likely a HAProxy bug worth reporting on the HAProxy mailing list. Great that you found a workaround though! 😄

Still struggling with haproxys config language :)

Totally understandable. HAProxy config has kind of a steep learning curve.

@janeczku

This comment has been minimized.

Owner

janeczku commented Jan 12, 2016

@hedefalk I can't reproduce this on HAProxy 1.6.3. Which version were you using when you encountered this issue? Thanks!

@svycka

This comment has been minimized.

svycka commented Aug 18, 2017

@janeczku I have the same problem but I do redirect in backend like this:

backend accounts_backend
    redirect scheme https if !{ ssl_fc }
....

with HA-Proxy version 1.7.6-1ppa1~xenial 2017/06/18

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment