Login/Register
How to send a response with HAProxy without passing the request to web servers
Asked Answered
Solved httpcorshaproxy
P

3

26

The server is receiving thousands of OPTIONS requests due to CORS (Cross-Origin Resource Sharing). Right now, every options request is being sent to one of the servers, which is a bit wasteful, knowing that HAProxy can add the CORS headers itself without the help of a web server.

frontend https-in
    ...
    use_backend cors_headers if METH_OPTIONS
    ...

backend cors_headers
    rspadd Access-Control-Allow-Origin:\ https://www.example.com
    rspadd Access-Control-Max-Age:\ 31536000

However for this to work I need to specify at least one live server in cors_headers backend and that server will still receive the requests.

How can I handle the request in the backend without specifying any servers? How can I stop the propagation of the request to servers, while sending the response to the browser and keeping the connection alive?

Palatinate answered 24/10, 2014 at 21:52 Comment(1)
I am looking to do the same thing, were you ever able to get this working?Avogadro
S
24

Good news, HAProxy 2.2 just introduced the "Native Response Generator" feature. It works with the http-request return directive, and can be used for serving static files or text strings, including dynamic parameters. The goal is to avoid the usual hacks with errorfile.

Taking advantage of another directive introduced in version 2.2 (http-after-response), the OP goal could be achieved with the following:

backend cors_headers
    # http-response won't work here as the response is generated by HAP
    http-after-response set-header Access-Control-Allow-Origin \
        "%[req.hdr(Origin)]"
    http-after-response set-header Access-Control-Max-Age "31536000"
    http-request return status 200 content-type "text/plain" string "" if TRUE

The set-header and http-request return can be made conditional with an if clause based on the request headers or origin, depending on your needs (see the doc for examples).

With this technique the headers and response can use variables:

http-request return status 200 content-type "text/plain" \
    lf-string "Hello, you are: %[src]"
Synchrotron answered 9/7, 2020 at 17:4 Comment(2)
This was so close to fixing another problem I was trying to solve, but I'm on haproxy 2.1.7 :(Pargeting
This solved my issue. depreciated some applets and moved it to single line http-request return statements. Could not figure out why there was cors issues.Unsubstantial
P
20

Edit for HAProxy 2.2 and above: In case you need to support a whitelist of origins, Lua scripts can now generate the entire response without having to pass the request to the backend server. Sample Lua script with simple integration instructions can be found here: https://github.com/haproxytech/haproxy-lua-cors

The only way to do this is in HAProxy 1.5.14 is by manually triggering the 503 error (no servers available to handle the request) and setting the error page to the file with custom CORS headers.

backend cors_headers
    errorfile 503 /path/to/custom/file.http

The file.http should contain the desired headers and 2 empty lines at the end

HTTP/1.1 200 OK
Access-Control-Allow-Origin: https://www.example.com
Access-Control-Max-Age: 31536000
Content-Length: 0
Cache-Control: private


<REMOVE THIS LINE COMPLETELY>

This "method" has a couple of limitations:

  • there is no way to check the origin before sending the CORS headers, so you will either have to have a static list of allowed origins or you will have to allow all origins

  • lack of dynamic headers: you can't do

    http-response set-header Date %[date(),http_date]

or set Expires header.

Note: if you are updating the HTTP file dynamically over time, to apply the changes to the HAProxy you will have to restart it. It can be a graceful restart or a hard restart, in either case the new file will be loaded, cached and served immediately.

Palatinate answered 24/10, 2014 at 23:34 Comment(1)
haproxy 2.2 added the http-request return directive which allows setting a respones. Lua not required.Bihari
D
0

This should work in most versions of HAproxy:

backend cors_headers
http-request deny deny_status 200
Discriminative answered 16/2, 2023 at 9:36 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.