Does anyone have a recommended HAProxy config that I can look through?

#1

A colleague of mine is in the process of exchanging out our Apache ws proxy with an HAProxy configuration, but we seem to be running into 400 errors. Our environment is within the EC2 cloud and we are attempting to access port 443 for HAProxy (which is where SSL is terminated), then allows the connection to proceed to an underlying server running Autobahn on port 9000. Note that SSL is not enabled at all on the Autobahn side.

Here is our current configuration:

frontend public

bind *:443 ssl crt /etc/ssl/certs/ws.proxy.dev.pem

acl is_websocket path_beg -i /ws/

acl is_websocket hdr(Upgrade) -i WebSocket

acl is_websocket hdr_beg(Host) -i ws

acl is_websocket hdr_beg(Host) -i wss

use_backend www_ws if is_websocket

default_backend www_ws

backend www_ws

balance leastconn

option forwardfor

timeout queue 5000

timeout server 5000

timeout connect 5000

timeout tunnel 86400000

server serverA 54.200.12.212:9000

For more information about the current setup please refer to this thread https://groups.google.com/forum/#!topic/autobahnws/HPGm5BTaXGI

Thank you

Patrick Santora

0 Likes

#2

Hi Patrick,

A colleague of mine is in the process of exchanging out our Apache ws
proxy with an HAProxy configuration, but we seem to be running into 400

"400 Bad Request": which one is generating these responses? HAProxy or Autobahn?

If Autobahn, try removing the "url" parameter from where you create your WebSocketServerFactory:

change from:
factory = WebSocketServerFactory("ws://example.com:9000")

to:
factory = WebSocketServerFactory()

Explanation:
If the URL is provided, this (and the externalPort) parameter will lead to some checking Autobahn does: the HTTP/GET request host header matches the host/port the server (Autobahn) runs on. With a reverse proxy in front, that'll be no longer be as simple, since the proxy usually listens on different port than Autobahn, but the request still contains the external port. If you remove URL parameter, Autobahn will simply skip those checks.

errors. Our environment is within the EC2 cloud and we are attempting to
access port 443 for HAProxy (which is where SSL is terminated), then
allows the connection to proceed to an underlying server running
Autobahn on port 9000. Note that SSL is not enabled at all on the
Autobahn side.

That's fine: you want the proxy to terminate the SSL, and balance accross backend nodes .. that's how it works normally.

···

Am 09.06.2014 19:34, schrieb Patrick Santora:

Here is our current configuration:

frontend public
   bind *:443 ssl crt /etc/ssl/certs/ws.proxy.dev.pem
# acl is_websocket path_beg -i /ws/
   acl is_websocket hdr(Upgrade) -i WebSocket
   acl is_websocket hdr_beg(Host) -i ws
   acl is_websocket hdr_beg(Host) -i wss
   use_backend www_ws if is_websocket
   default_backend www_ws

backend www_ws
balance leastconn
   option forwardfor
timeout queue 5000
timeout server 5000
timeout connect 5000
timeout tunnel 86400000
server serverA 54.200.12.212:9000

For more information about the current setup please refer to this
thread https://groups.google.com/forum/#!topic/autobahnws/HPGm5BTaXGI

Thank you
Patrick Santora

--
You received this message because you are subscribed to the Google
Groups "Autobahn" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to autobahnws+...@googlegroups.com
<mailto:autobahnws+...@googlegroups.com>.
For more options, visit https://groups.google.com/d/optout.

0 Likes

#3

It looked to be coming for HAProxy so we went ahead an adjusted the setup to use nginx and it’s built in capabilities and it looks like it’s working. I’ve went ahead and also adjusted the Websocket factory to not have any URI information to help keep is generic.

We will see how well this goes! Thank you!

···

On Tuesday, June 10, 2014 7:48:31 AM UTC-7, Tobias Oberstein wrote:

Hi Patrick,

Am 09.06.2014 19:34, schrieb Patrick Santora:

A colleague of mine is in the process of exchanging out our Apache ws

proxy with an HAProxy configuration, but we seem to be running into 400

“400 Bad Request”: which one is generating these responses? HAProxy or
Autobahn?

If Autobahn, try removing the “url” parameter from where you create your
WebSocketServerFactory:

change from:

factory = WebSocketServerFactory(“ws://example.com:9000”)

to:

factory = WebSocketServerFactory()

Explanation:

If the URL is provided, this (and the externalPort) parameter will lead
to some checking Autobahn does: the HTTP/GET request host header matches
the host/port the server (Autobahn) runs on. With a reverse proxy in
front, that’ll be no longer be as simple, since the proxy usually
listens on different port than Autobahn, but the request still contains
the external port. If you remove URL parameter, Autobahn will simply
skip those checks.

errors. Our environment is within the EC2 cloud and we are attempting to

access port 443 for HAProxy (which is where SSL is terminated), then

allows the connection to proceed to an underlying server running

Autobahn on port 9000. Note that SSL is not enabled at all on the

Autobahn side.

That’s fine: you want the proxy to terminate the SSL, and balance
accross backend nodes … that’s how it works normally.

Here is our current configuration:

frontend public

bind *:443 ssl crt /etc/ssl/certs/ws.proxy.dev.pem

acl is_websocket path_beg -i /ws/

acl is_websocket hdr(Upgrade) -i WebSocket

acl is_websocket hdr_beg(Host) -i ws

acl is_websocket hdr_beg(Host) -i wss

use_backend www_ws if is_websocket

default_backend www_ws

backend www_ws

balance leastconn

option forwardfor

timeout queue 5000

timeout server 5000

timeout connect 5000

timeout tunnel 86400000

server serverA 54.200.12.212:9000

For more information about the current setup please refer to this

thread https://groups.google.com/forum/#!topic/autobahnws/HPGm5BTaXGI

Thank you

Patrick Santora

You received this message because you are subscribed to the Google

Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to autobahnws+...@googlegroups.com

mailto:autobahnws+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

0 Likes

#4

Hey Patrick, I am running into this same issue, I have tried both HAProxy and Nginx, is there anyway I can see your Nginx config file for this?

···

On Monday, June 16, 2014 at 2:55:32 PM UTC-6, Patrick Santora wrote:

It looked to be coming for HAProxy so we went ahead an adjusted the setup to use nginx and it’s built in capabilities and it looks like it’s working. I’ve went ahead and also adjusted the Websocket factory to not have any URI information to help keep is generic.

We will see how well this goes! Thank you!

On Tuesday, June 10, 2014 7:48:31 AM UTC-7, Tobias Oberstein wrote:

Hi Patrick,

Am 09.06.2014 19:34, schrieb Patrick Santora:

A colleague of mine is in the process of exchanging out our Apache ws

proxy with an HAProxy configuration, but we seem to be running into 400

“400 Bad Request”: which one is generating these responses? HAProxy or
Autobahn?

If Autobahn, try removing the “url” parameter from where you create your
WebSocketServerFactory:

change from:

factory = WebSocketServerFactory(“ws://example.com:9000”)

to:

factory = WebSocketServerFactory()

Explanation:

If the URL is provided, this (and the externalPort) parameter will lead
to some checking Autobahn does: the HTTP/GET request host header matches
the host/port the server (Autobahn) runs on. With a reverse proxy in
front, that’ll be no longer be as simple, since the proxy usually
listens on different port than Autobahn, but the request still contains
the external port. If you remove URL parameter, Autobahn will simply
skip those checks.

errors. Our environment is within the EC2 cloud and we are attempting to

access port 443 for HAProxy (which is where SSL is terminated), then

allows the connection to proceed to an underlying server running

Autobahn on port 9000. Note that SSL is not enabled at all on the

Autobahn side.

That’s fine: you want the proxy to terminate the SSL, and balance
accross backend nodes … that’s how it works normally.

Here is our current configuration:

frontend public

bind *:443 ssl crt /etc/ssl/certs/ws.proxy.dev.pem

acl is_websocket path_beg -i /ws/

acl is_websocket hdr(Upgrade) -i WebSocket

acl is_websocket hdr_beg(Host) -i ws

acl is_websocket hdr_beg(Host) -i wss

use_backend www_ws if is_websocket

default_backend www_ws

backend www_ws

balance leastconn

option forwardfor

timeout queue 5000

timeout server 5000

timeout connect 5000

timeout tunnel 86400000

server serverA 54.200.12.212:9000

For more information about the current setup please refer to this

thread https://groups.google.com/forum/#!topic/autobahnws/HPGm5BTaXGI

Thank you

Patrick Santora

You received this message because you are subscribed to the Google

Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to autobahnws+...@googlegroups.com

mailto:autobahnws+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

0 Likes

#5

If you’re looking to do something with proxy i highly recommend using the built in proxy for nginx. Very strait forward and quite powerful.

···

On Thursday, December 3, 2015 at 9:44:27 AM UTC-8, Patrick Barker wrote:

Hey Patrick, I am running into this same issue, I have tried both HAProxy and Nginx, is there anyway I can see your Nginx config file for this?

On Monday, June 16, 2014 at 2:55:32 PM UTC-6, Patrick Santora wrote:

It looked to be coming for HAProxy so we went ahead an adjusted the setup to use nginx and it’s built in capabilities and it looks like it’s working. I’ve went ahead and also adjusted the Websocket factory to not have any URI information to help keep is generic.

We will see how well this goes! Thank you!

On Tuesday, June 10, 2014 7:48:31 AM UTC-7, Tobias Oberstein wrote:

Hi Patrick,

Am 09.06.2014 19:34, schrieb Patrick Santora:

A colleague of mine is in the process of exchanging out our Apache ws

proxy with an HAProxy configuration, but we seem to be running into 400

“400 Bad Request”: which one is generating these responses? HAProxy or
Autobahn?

If Autobahn, try removing the “url” parameter from where you create your
WebSocketServerFactory:

change from:

factory = WebSocketServerFactory(“ws://example.com:9000”)

to:

factory = WebSocketServerFactory()

Explanation:

If the URL is provided, this (and the externalPort) parameter will lead
to some checking Autobahn does: the HTTP/GET request host header matches
the host/port the server (Autobahn) runs on. With a reverse proxy in
front, that’ll be no longer be as simple, since the proxy usually
listens on different port than Autobahn, but the request still contains
the external port. If you remove URL parameter, Autobahn will simply
skip those checks.

errors. Our environment is within the EC2 cloud and we are attempting to

access port 443 for HAProxy (which is where SSL is terminated), then

allows the connection to proceed to an underlying server running

Autobahn on port 9000. Note that SSL is not enabled at all on the

Autobahn side.

That’s fine: you want the proxy to terminate the SSL, and balance
accross backend nodes … that’s how it works normally.

Here is our current configuration:

frontend public

bind *:443 ssl crt /etc/ssl/certs/ws.proxy.dev.pem

acl is_websocket path_beg -i /ws/

acl is_websocket hdr(Upgrade) -i WebSocket

acl is_websocket hdr_beg(Host) -i ws

acl is_websocket hdr_beg(Host) -i wss

use_backend www_ws if is_websocket

default_backend www_ws

backend www_ws

balance leastconn

option forwardfor

timeout queue 5000

timeout server 5000

timeout connect 5000

timeout tunnel 86400000

server serverA 54.200.12.212:9000

For more information about the current setup please refer to this

thread https://groups.google.com/forum/#!topic/autobahnws/HPGm5BTaXGI

Thank you

Patrick Santora

You received this message because you are subscribed to the Google

Groups “Autobahn” group.

To unsubscribe from this group and stop receiving emails from it, send

an email to autobahnws+...@googlegroups.com

mailto:autobahnws+unsub...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

0 Likes