Any tips for Apollo reverse proxy with HAProxy?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Any tips for Apollo reverse proxy with HAProxy?

Matt Sarrasin

Hello,


I've got a working instance of Apollo that is reverse-proxied by HAProxy with SSL offloading. However, I've been struggling to get "User-created Annotations" to work properly because the proxy is refusing websocket connections, and I'm getting 403 errors with /apollo/stomp//xhr_streaming and /apollo/stomp//xhr. I've tried quite a lot of different HAProxy configuration tweaks at this point and consulted the documentation, as well as previous issues involving HAProxy to no avail, so I was wondering if anyone would be willing to share any insight on working configurations. I can also provide additional information on request.


Thanks in advance!

--
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Any tips for Apollo reverse proxy with HAProxy?

nathandunn

Matt,

Can you show your config?    I don’t have any experience with HAProxy, but I imagine its similar to Nginx / Apache2 in terms of approach.



Here is a sample web socket SSL passthrough:  https://gist.github.com/sourcec0de/0834e50e0470e573419f979597c701c8


Nathan


On Jun 9, 2020, at 6:12 AM, Matt Sarrasin <[hidden email]> wrote:

Hello,


I've got a working instance of Apollo that is reverse-proxied by HAProxy with SSL offloading. However, I've been struggling to get "User-created Annotations" to work properly because the proxy is refusing websocket connections, and I'm getting 403 errors with /apollo/stomp//xhr_streaming and /apollo/stomp//xhr. I've tried quite a lot of different HAProxy configuration tweaks at this point and consulted the documentation, as well as previous issues involving HAProxy to no avail, so I was wondering if anyone would be willing to share any insight on working configurations. I can also provide additional information on request.


Thanks in advance!


--
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Any tips for Apollo reverse proxy with HAProxy?

Matt Sarrasin
Hi Nathan,

Thanks for the references. I've found https://gist.github.com/sourcec0de/0834e50e0470e573419f979597c701c8 in the past and implemented various forms of the config with no success. Perhaps I'm just missing something. Ironically I had a working reverse proxy setup with an Apache server a while back but migrated to HAProxy on FreeBSD for a number of reasons. Here are the relevant bits of my current config (HAProxy v1.8.25 on FreeBSD 11.2-RELEASE-p10) for reference:

global
        maxconn                
10000
        hard
-stop-after         15m
        daemon
        tune
.ssl.default-dh-param       4096
        server
-state-file /tmp/haproxy_server_state

frontend redirect
-http-to-https
        bind                    
10.101.101.101:80 name 10.101.101.101:80 # WAN connections are NAT'd to this IP
        mode                    http
        log                    
global
        option                  http
-keep-alive
        option                  forwardfor
        acl https ssl_fc
        http
-request set-header         X-Forwarded-Proto http if !https
        http
-request set-header         X-Forwarded-Proto https if https
        timeout client          
30000
        acl                     http        
var(txn.txnhost) -m str -i example.com
        http
-request set-var(txn.txnhost) hdr(host)
        http
-request redirect scheme https  if  http

frontend
RootFrontend-merged
        bind                    
10.101.101.101:443 name 10.101.101.101:443   ssl crt-list /var/etc/haproxy/RootFrontend.crt_list
        mode                    http
        log                    
global
        option                  socket
-stats
        option                  log
-separate-errors
        option                  httplog
        option                  http
-keep-alive
        option                  forwardfor
        acl https ssl_fc
        http
-request set-header         X-Forwarded-Proto http if !https
        http
-request set-header         X-Forwarded-Proto https if https
        timeout client          
30000
        errorfile                      
503 /var/etc/haproxy/errorfile_RootFrontend_503_MAINTENANCE
        acl                     aclcrt_RootFrontend    
var(txn.txnhost) -m reg -i ^example\.com(:([0-9]){1,5})?$
        acl                     apollo  
var(txn.txnpath) -m beg -i /apollo
        http
-request set-var(txn.txnhost) hdr(host)
        http
-request set-var(txn.txnpath) path
        use_backend
ApolloServer_ipvANY  if  apollo
        default_backend
WebappsBackend_ipvANY

backend
ApolloServer_ipvANY
        mode                    http
        id                      
108
        log                    
global
        timeout connect        
30000
        timeout server          
30000
        retries                
3
        option                  httpchk HEAD
/ HTTP/1.0\r\nHost:\ 10.1.1.1:80\r\nAccept:\ */*
        server                  Apollo 10.1.1.1:80 id 109 check inter 1000

I have several other backends (static content server, matrix-synapse server, blast & annotation servers, etc.) not mentioned above, all set up similarly, but run without issue.

Thanks for your input!

Matt

On Tuesday, June 9, 2020 at 12:29:48 PM UTC-4, Nathan Dunn wrote:

Matt,

Can you show your config?    I don’t have any experience with HAProxy, but I imagine its similar to Nginx / Apache2 in terms of approach.

<a href="https://genomearchitect.readthedocs.io/en/latest/Configure.html?highlight=nginx#apache-nginx-configuration" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgenomearchitect.readthedocs.io%2Fen%2Flatest%2FConfigure.html%3Fhighlight%3Dnginx%23apache-nginx-configuration\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGW6m2MgSH8I0Wy1GgZg1gyiCYJnw&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgenomearchitect.readthedocs.io%2Fen%2Flatest%2FConfigure.html%3Fhighlight%3Dnginx%23apache-nginx-configuration\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNGW6m2MgSH8I0Wy1GgZg1gyiCYJnw&#39;;return true;">https://genomearchitect.readthedocs.io/en/latest/Configure.html?highlight=nginx#apache-nginx-configuration


Here is a sample web socket SSL passthrough:  <a href="https://gist.github.com/sourcec0de/0834e50e0470e573419f979597c701c8" target="_blank" rel="nofollow" onmousedown="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgist.github.com%2Fsourcec0de%2F0834e50e0470e573419f979597c701c8\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHagHiNLgMrDEvNc8FHkv7VeaXdGg&#39;;return true;" onclick="this.href=&#39;https://www.google.com/url?q\x3dhttps%3A%2F%2Fgist.github.com%2Fsourcec0de%2F0834e50e0470e573419f979597c701c8\x26sa\x3dD\x26sntz\x3d1\x26usg\x3dAFQjCNHagHiNLgMrDEvNc8FHkv7VeaXdGg&#39;;return true;">https://gist.github.com/sourcec0de/0834e50e0470e573419f979597c701c8


Nathan


On Jun 9, 2020, at 6:12 AM, Matt Sarrasin <<a href="javascript:" target="_blank" gdf-obfuscated-mailto="FlBAd_23BAAJ" rel="nofollow" onmousedown="this.href=&#39;javascript:&#39;;return true;" onclick="this.href=&#39;javascript:&#39;;return true;">matt.s...@...> wrote:

Hello,


I've got a working instance of Apollo that is reverse-proxied by HAProxy with SSL offloading. However, I've been struggling to get "User-created Annotations" to work properly because the proxy is refusing websocket connections, and I'm getting 403 errors with /apollo/stomp//xhr_streaming and /apollo/stomp//xhr. I've tried quite a lot of different HAProxy configuration tweaks at this point and consulted the documentation, as well as previous issues involving HAProxy to no avail, so I was wondering if anyone would be willing to share any insight on working configurations. I can also provide additional information on request.


Thanks in advance!


--
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
Reply | Threaded
Open this post in threaded view
|

Re: Any tips for Apollo reverse proxy with HAProxy?

nathandunn

I couldn’t tell you off hand. 

If no one here has any ideas, I might post to an HAProxy group directly. 

Basically you are doing a reverse proxy using the stomp web socket protocol from Spring.  https://spring.io/guides/gs/messaging-stomp-websocket/

If it secure, I know that sometimes we have to use the wss protocol instead of the ws one, but more than that I don’t know.

Nathan


On Jun 10, 2020, at 6:09 AM, Matt Sarrasin <[hidden email]> wrote:

Hi Nathan,

Thanks for the references. I've found https://gist.github.com/sourcec0de/0834e50e0470e573419f979597c701c8 in the past and implemented various forms of the config with no success. Perhaps I'm just missing something. Ironically I had a working reverse proxy setup with an Apache server a while back but migrated to HAProxy on FreeBSD for a number of reasons. Here are the relevant bits of my current config (HAProxy v1.8.25 on FreeBSD 11.2-RELEASE-p10) for reference:

global
        maxconn                
10000
        hard
-stop-after         15m
        daemon
        tune
.ssl.default-dh-param       4096
        server
-state-file /tmp/haproxy_server_state

frontend redirect
-http-to-https
        bind                    
10.101.101.101:80 name 10.101.101.101:80 # WAN connections are NAT'd to this IP
        mode                    http
        log                    
global
        option                  http
-keep-alive
        option                  forwardfor
        acl https ssl_fc
        http
-request set-header         X-Forwarded-Proto http if !https
        http
-request set-header         X-Forwarded-Proto https if https
        timeout client          
30000
        acl                     http        
var(txn.txnhost) -m str -i example.com
        http
-request set-var(txn.txnhost) hdr(host)
        http
-request redirect scheme https  if  http

frontend
RootFrontend-merged
        bind                    
10.101.101.101:443 name 10.101.101.101:443   ssl crt-list /var/etc/haproxy/RootFrontend.crt_list
        mode                    http
        log                    
global
        option                  socket
-stats
        option                  log
-separate-errors
        option                  httplog
        option                  http
-keep-alive
        option                  forwardfor
        acl https ssl_fc
        http
-request set-header         X-Forwarded-Proto http if !https
        http
-request set-header         X-Forwarded-Proto https if https
        timeout client          
30000
        errorfile                      
503 /var/etc/haproxy/errorfile_RootFrontend_503_MAINTENANCE
        acl                     aclcrt_RootFrontend    
var(txn.txnhost) -m reg -i ^example\.com(:([0-9]){1,5})?$
        acl                     apollo  
var(txn.txnpath) -m beg -i /apollo
        http
-request set-var(txn.txnhost) hdr(host)
        http
-request set-var(txn.txnpath) path
        use_backend
ApolloServer_ipvANY  if  apollo
        default_backend
WebappsBackend_ipvANY

backend
ApolloServer_ipvANY
        mode                    http
        id                      
108
        log                    
global
        timeout connect        
30000
        timeout server          
30000
        retries                
3
        option                  httpchk HEAD
/ HTTP/1.0\r\nHost:\ 10.1.1.1:80\r\nAccept:\ */*
        server                  Apollo 10.1.1.1:80 id 109 check inter 1000

I have several other backends (static content server, matrix-synapse server, blast & annotation servers, etc.) not mentioned above, all set up similarly, but run without issue.

Thanks for your input!

Matt

On Tuesday, June 9, 2020 at 12:29:48 PM UTC-4, Nathan Dunn wrote:

Matt,

Can you show your config?    I don’t have any experience with HAProxy, but I imagine its similar to Nginx / Apache2 in terms of approach.



Here is a sample web socket SSL passthrough:  https://gist.github.com/sourcec0de/0834e50e0470e573419f979597c701c8


Nathan


On Jun 9, 2020, at 6:12 AM, Matt Sarrasin <[hidden email]> wrote:

Hello,


I've got a working instance of Apollo that is reverse-proxied by HAProxy with SSL offloading. However, I've been struggling to get "User-created Annotations" to work properly because the proxy is refusing websocket connections, and I'm getting 403 errors with /apollo/stomp//xhr_streaming and /apollo/stomp//xhr. I've tried quite a lot of different HAProxy configuration tweaks at this point and consulted the documentation, as well as previous issues involving HAProxy to no avail, so I was wondering if anyone would be willing to share any insight on working configurations. I can also provide additional information on request.


Thanks in advance!



--
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].