Authentication 如何阻止HAProxy剥离auth标头
因此,当重定向到一个单独的URL时,HAProxy会从我的呼叫中剥离授权头,这是一个问题。具体来说,我想根据URL路径点击AWS lambda subdomain.domain/mo/api应该路由到lambda,它基于此配置,但我从lambda收到此响应(使用邮递员): { “消息”:“缺少身份验证令牌” } 点击lambda url(绕过HAProxy)的效果与预期一样,所有的头都完全相同 代理配置:Authentication 如何阻止HAProxy剥离auth标头,authentication,header,haproxy,Authentication,Header,Haproxy,因此,当重定向到一个单独的URL时,HAProxy会从我的呼叫中剥离授权头,这是一个问题。具体来说,我想根据URL路径点击AWS lambda subdomain.domain/mo/api应该路由到lambda,它基于此配置,但我从lambda收到此响应(使用邮递员): { “消息”:“缺少身份验证令牌” } 点击lambda url(绕过HAProxy)的效果与预期一样,所有的头都完全相同 代理配置: global log /dev/log local0 log /d
global
log /dev/log local0
log /dev/log local1 notice
maxconn 20000
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
ssl-default-bind-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-bind-options no-sslv3 no-tls-tickets
ssl-default-server-ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
ssl-default-server-options no-sslv3 no-tls-tickets
defaults
log global
mode http
option httplog
option dontlognull
option forwardfor
monitor-uri /index.html
stats enable
stats uri /stats
stats realm Haproxy\ Statistics
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http
frontend http
bind *:80
#Defining ACL based on a string in URI
acl dm_in_uri path_sub dm
acl mo_in_uri path_sub mo
acl lab_host hdr(host) -i subdomain.domain.com
reqadd X-Forwarded-Proto:\ http
#Special route which matches both hostname and string acl
use_backend lab_mo_api if lab_host mo_in_uri api_in_uri
use_backend lab_portal if lab_host
frontend https
bind *:443 ssl crt /etc/ssl/<blah>.pem
#Defining ACL based on a string in URI
acl api_in_uri path_sub api
acl dm_in_uri path_sub dm
acl mo_in_uri path_sub mo
acl lab_host hdr(host) -i subdomain.domain.com
reqadd X-Forwarded-Proto:\ https
#Special route which matches both hostname and string acl
use_backend lab_mo_api if lab_host mo_in_uri api_in_uri
use_backend lab_portal if lab_host
backend lab_mo_api
reqrep (.*)\/mo\/api(\/.*) \1\ /lab\/
redirect prefix https://<aws_lambda_url> code 301
全局
log/dev/log local0
log/dev/log local1通知
maxconn 20000
chroot/var/lib/haproxy
统计套接字/run/haproxy/admin.sock模式660级管理员
统计超时30秒
用户单倍体
群单倍体
守护进程
tune.ssl.default-dh-param 2048
#默认SSL材质位置
ca-base/etc/ssl/certs
crt基/etc/ssl/private
ssl默认绑定密码ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-AES256-GCM-SHA384:ECDHE-ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDHE-128-SHA256-ESA256-RSA-ECAESSA-DHE-384:RSA-ECAESSA-ES128-DHE-DHE-SA128-DHE-DHE-DHE-SA128-DHE-DHE-DHE-SA128-384:-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES256-CBC3-SA256:AES256-CBC3-DES:AESSA:!决策支持系统
ssl默认绑定选项no-sslv3无tls票证
ssl默认服务器密码ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-AES256-GCM-SHA384:ECDHE-ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDHE-128-SHA256-ESA256-RSA-ECAESSA-DHE-384:RSA-ECAESSA-ES128-DHE-DHE-SA128-DHE-DHE-DHE-SA128-DHE-DHE-DHE-SA128-384:-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES256-CBC3-SA256:AES256-CBC3-DES:AESSA:!决策支持系统
ssl默认服务器选项no-sslv3无tls票证
默认值
日志全局
模式http
选项httplog
选项dontlognull
选择转发
监视器uri/index.html
统计数据启用
统计uri/stats
统计域Haproxy\Statistics
超时连接5000
超时客户端50000
超时服务器50000
errorfile 400/etc/haproxy/errors/400.http
错误文件403/etc/haproxy/errors/403.http
错误文件408/etc/haproxy/errors/408.http
errorfile 500/etc/haproxy/errors/500.http
错误文件502/etc/haproxy/errors/502.http
错误文件503/etc/haproxy/errors/503.http
错误文件504/etc/haproxy/errors/504.http
前端http
绑定*:80
#基于URI中的字符串定义ACL
acl dm_in_uri path_sub dm
acl mo在uri路径子mo中
acl实验室主机hdr(主机)-i subdomain.domain.com
请求添加X-Forwarded-Proto:\http
#匹配主机名和字符串acl的特殊路由
如果lab_主机Mou in_uri api in_uri,则使用后端lab_mo_api
如果是实验室主机,请使用实验室后端门户
前端https
绑定*:443 ssl crt/etc/ssl/.pem
#基于URI中的字符串定义ACL
acl api在uri路径子api中
acl dm_in_uri path_sub dm
acl mo在uri路径子mo中
acl实验室主机hdr(主机)-i subdomain.domain.com
reqadd X-Forwarded-Proto:\https
#匹配主机名和字符串acl的特殊路由
如果lab_主机Mou in_uri api in_uri,则使用后端lab_mo_api
如果是实验室主机,请使用实验室后端门户
后端lab_mo_api
REQUREP(.*)\/mo\/api(\/.*)\1\/lab\/
重定向前缀https://code 301
授权