Server: HaProxy - Reverse Proxy 301

Created on 3 Oct 2017  路  7Comments  路  Source: bitwarden/server

Please excuse my ignorance if this is something I have fundamentally understood, I am new to reverse proxies and docker.

I have installed bitwarden and tested it locally and I am very impressed.

I decided to run it so it is accessible outside my local network, I have a single IP at home and so use HaProxy on pfSense as a reverse proxy.

My issue is that I get a 301 on my backends, and a 'to many redirects' in the browser.

I have a https certificate from letsencrypt, which https://cryptoreport.websecurity.symantec.com/checker/ says is installed fine.

My config for HA Proxy is as follows:

frontend httpsshared-merged
    bind            redactedip:443 name redactedip:443 ssl  crt /var/etc/haproxy/pm.pem crt /var/etc/haproxy/httpsshared.pem  
    mode            http
    log         global
    option          http-keep-alive
    option          forwardfor
    acl https ssl_fc
    http-request set-header     X-Forwarded-Proto http if !https
    http-request set-header     X-Forwarded-Proto https if https
    timeout client      30000
    acl         pm  hdr(host) -i pm.redacteddomain.com
    use_backend pm.redacteddomain.com_http_ipvANY  if  pm 

backend pm.redacteddomain.com_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    option          httpchk OPTIONS / 
    server          pm 10.0.0.72:80 check inter 1000

Has anyone any idea of what I am doing wrong?

Most helpful comment

After many many many hours of head scratching I finally worked it out!
The 301 redirects where being caused by the line in bitwarden/nginx/default.conf
return 301 https://$server_name$request_uri;

This led me thinking that I actually want to run on port 443 on my backend, as obviously everytime I hit my domain on https, it was calling http on the backend which was calling the https again, and so we go around in a loop!

Changing my backend config to this does the trick for anyone else that has this issue.

backend pm.mydomain.com_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    option          httpchk HEAD / 
    server          pm 10.0.0.72:443 ssl check inter 1000  verify none crt /var/etc/haproxy/server_clientcert_59d3ca756a8bf.pem

All 7 comments

Sorry, but I don't have any experience with HaProxy. Somewhere you are likely creating an endless loop of redirects.

I got rid of the redirect but still no dice at the moment.

I think I am getting a bit closer, it would appear the bitwarden forwards the user to https://mydomain.com/#/, I believe this is what is causing the issue

@davegrix That is only done client side. It shouldn't have any effect on the server request/response.

@kspearrin Then I am utterly at a loss!

It must be me doing something wrong, hopefully someone will come along and see this that has it working in nginx or something.

frontend sharedhttps-merged
    bind            redactedip:443 name redactedip:443 ssl  crt /var/etc/haproxy/sharedhttps.pem  
    mode            http
    log         global
    option          http-keep-alive
    timeout client      30000
    acl         pm  hdr(host) -i pm.redacteddomain.com
    acl         aclcrt_sharedhttps  hdr_reg(host) -i ^pm\.redacteddomain\.com(:([0-9]){1,5})?$
    use_backend pm.redacteddomain.com_http_ipvANY  if  pm 

backend pm.redacteddomain.com_http_ipvANY
    mode            http
    log         global
    option          log-health-checks
    timeout connect     30000
    timeout server      30000
    retries         3
    option          httpchk OPTIONS / 
    server          pm 10.0.0.72:80 check inter 1000

L7OK/301 in 1ms
The page isn't redirecting properly

Firefox has detected that the server is redirecting the request for this address in a way that will never complete.

Sorry, I do not know.

After many many many hours of head scratching I finally worked it out!
The 301 redirects where being caused by the line in bitwarden/nginx/default.conf
return 301 https://$server_name$request_uri;

This led me thinking that I actually want to run on port 443 on my backend, as obviously everytime I hit my domain on https, it was calling http on the backend which was calling the https again, and so we go around in a loop!

Changing my backend config to this does the trick for anyone else that has this issue.

backend pm.mydomain.com_http_ipvANY
    mode            http
    log         global
    timeout connect     30000
    timeout server      30000
    retries         3
    option          httpchk HEAD / 
    server          pm 10.0.0.72:443 ssl check inter 1000  verify none crt /var/etc/haproxy/server_clientcert_59d3ca756a8bf.pem
Was this page helpful?
0 / 5 - 0 ratings