I'm using ELB in front of HA-Proxy. Stickiness is disable on ELB and I have this configuration in HA-Proxy:
backend endpoint
balance leastconn
cookie VALUE insert nocache maxidle 30
I'm using curl to query and I noticed that if I query directly HA-Proxy I get a cookie for each query. However with ELB, I would get a cookie at the first query but not with the next ones, I have to wait few minutes before it give me a cookie.
Any idea why?
HA-Proxy version 1.4.18 2011/09/16
Turned out that I needed to ask HA-Proxy to close the connection as soon as possible using option http-server-close or option forceclose.
More information about ELB keepalive can be found here
ELB's HTTP listeners present an HTTP 1.1 endpoint to clients, which means that:
HTTP Keepalive will be enabled by default for an HTTP 1.1 client
HTTP Keepalive will be disabled by default for an HTTP 1.0 client
In either case, the client can explicitly turn keepalive on or off by including the "Connection: keep-alive" or "Connection: close" headers, respectively, in the request.
Source: https://forums.aws.amazon.com/thread.jspa?messageID=200999𱄧
Related
I have two backend web servers, and i need to monitor them using httpcheck by checking the URL and looking for a string to be present in the response of the request. if the string is not available switch the backend to another server.
Status:
Server1 - Active
Server2 - Backup
Configuration Details:
Health Check Method : HTTP
HTTP Check Method : GET
Url used by http check requests: /jsonp/FreeForm&maxrecords=10&format=XML&ff=223
Http check version : HTTP/1.0\r\nAccept:\ XS01
Result of the http Request is
{"d":{"__type":"Response","Version":"4.5.23.1160","ResultCode":"XS01","ErrorString":"","Results":[{"__type":"Result",
so, I am expecting the string ResultCode":"XS01" in the response from the server, if the string found the server1 is up, if not bring the Server2 from the backup.
how can i achieve this in HAProxy Backend Health Check?
This can be done under Advanced Settings--> Backend Pass thru using the expect string,
http-check expect string XS01
I need to test a payment integration, where the payment service sends a webhook when payment is successful. The url for the webhook must be https://xxx-ngrock.io/paymentNotification. In this case, I cannot change the url to http. My problem is, I cannot receive this webhook because:
In development mode django does not allow traffic over https only over http
I tunnel to my development server using this command ./ngrok http https://localhost:8000 which I guess should forward the https traffic, but I have no way of testing it since the development server does not accept traffic over http in the first place.
Additional comments. Currently the ngrok forwarding map where both traffic from http and https are mapped to the https internal traffic that Django does not support for its development serveer.
ngrok by #inconshreveable (Ctrl+C to quit)
Session Status online
Account JianDk (Plan: Free)
Version 2.3.40
Region United States (us)
Web Interface http://127.0.0.1:4040
Forwarding http://3304-94-147-65-45.ngrok.io -> https://localhost:8000
Forwarding https://3304-94-147-65-45.ngrok.io -> https://localhost:8000
Connections ttl opn rt1 rt5 p50 p90
7 0 0.06 0.02 0.00 0.01
HTTP Requests
-------------
GET /favicon.ico
GET /
GET /favicon.ico
GET /
GET /
GET /favicon.ico
GET /
ngrok will provide one http and one https links for you to tunnel your dev server to.
If I have misunderstood your question, please add a comment!
Application is deployed on AWS and serves on port 80 and ELB forwards that 80 to 443. Spring security is used for session which creates cookie with secure flag set. When I hit the application host name I could see that secure flag is set as shown below.
curl -I target_hostname
Set-Cookie: JSESSIONID=XXXXXXXX; Path=/; Secure; HttpOnly
But when i directly hit EC2 IP (using curl) I could see that secure flag is not set.
curl -I target_ec2_ip
Set-Cookie: JSESSIONID=XXXXXXXX; Path=/; HttpOnly
Why it is happening can anyone explain?
I'm going to assume that you terminate SSL at the ELB, and you're contacting the EC2 instance directly via HTTP (port 80). In that case, the following applies:
RFC 6265:
If the cookie's secure-only-flag is true, then the request-uri's scheme must denote a "secure" protocol (as defined bythe user agent).
NOTE: The notion of a "secure" protocol is not defined by this document. Typically, user agents consider a protocol secure if the protocol makes use of transport-layer security, such as SSL or TLS.
The MDN doc is more explicit:
Insecure sites (http:) can't set cookies with the "secure" directive anymore (new in Chrome 52+ and Firefox 52+).
can the proxy server intercept my https request and set cookies before actually sending the request?
I'm going a GET on an url from chrome browser. In the development tools, under "Network", I noticed that the first request, the one that I made, has cookies set. but I did not set any cookies.
any thoughts?
No it can't. To proxy HTTPS requests your browser issues HTTP CONNECT command (https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT). Proxy then creates a tunnel between the browser and a target server.
A conventional proxy can neither view nor manipulate a TLS-encrypted data stream, so a CONNECT request simply asks the proxy to open a pipe between the client and server. The proxy here is just a facilitator - it blindly forwards data in both directions without knowing anything about the contents. The negotiation of the TLS connection happens over this pipe, and the subsequent flow of requests and responses are completely opaque to the proxy.
It cannot modify or see what is being transferred as it is protected by TLS encryption.
The only way to modify HTTPS conenctions on the fly is if you install some external CA certificates on your computer. This is known as MITM Attack.
Our integration partner was using our Web service with http: 8090 and now we are moving to https: 8443 so they tried to update the WS URL but they are getting "handshake error". They are asking whether they can still use http 8090. If we route any traffic coming from http 8090 to https 8443 in the webserver config, will they still get handshake error?
When you create a redirect, the server sends a HTTP 302 which the client is obligated to follow, which means that they should still get the error. depending on your setup, and config, they may be able to send the request anyway, but if that works, then all your traffic is potentially insecure...