HAProxy community

Again redirect http 80 to https 443

I am using haproxy 2.2 and tried several redirects also the below with http-request as mentioned here[1] and splitting this into 2 different frontends.

Currently I am having configured as from:

frontend https
  bind 0.0.0.0:80
  redirect scheme https code 301 if !{ ssl_fc }
  bind 0.0.0.0:"$PORT2"

Logs are showing this

https https/<NOSRV> -1/-1/1 0 SC 4/2/0/0/0 0/0
https https/<NOSRV> -1/-1/0 0 SC 4/2/0/0/0 0/0
https https/<NOSRV> -1/-1/0 0 SC 4/2/0/0/0 0/0
https https/<NOSRV> -1/-1/0 0 SC 13/11/0/0/0 0/0
https https/<NOSRV> -1/-1/0 0 SC 9/7/0/0/0 0/0
https https/<NOSRV> -1/-1/0 0 SC 4/2/0/0/0 0/0
https https/<NOSRV> -1/-1/0 0 SC 4/2/0/0/0 0/0

If I just type test.example.com in the browser, I do not seem to end up at https://test.example.com

If I just type https://test.example.com in the browser, I am getting a the correct page. ( actually redirected to https://test.example.com/path/path/

[1]

Please post the entire configuration, and the output of a curl -vv call.

This is part of config :roll_eyes:, I do not have any other fronted with a port 80 bind. I assume it is related to redirecting based on sni.

frontend https
  bind 0.0.0.0:80
  redirect scheme https code 301 if !{ ssl_fc }

  bind 0.0.0.0:"$PORT2"
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend _recir_webchat if { req_ssl_sni -i webchat.example.com }
  use_backend _recir_synapse if { req_ssl_sni -i riot.example.com }
  ...


backend _recir_webchat
  server loopback-for-tls abns@webchat send-proxy-v2
backend _recir_synapse
  server loopback-for-tls abns@synapse send-proxy-v2
backend _recir_test
...


frontend webchat
  #bind 0.0.0.0:8080
  #bind 0.0.0.0:443 ssl crt webchat.example.com.pem
  bind abns@webchat accept-proxy ssl crt webchat.example.com.pem
  mode http
  ...
  

frontend synapse
  #bind 0.0.0.0:8080
  #bind 0.0.0.0:443 ssl crt element.example.com.pem
  bind abns@synapse accept-proxy ssl crt riot.example.com.pem
  mode http
  ...

This is just accessing the ip on http

* About to connect() to x.x.x.x port 80 (#0)
*   Trying x.x.x.x... connected
* Connected to x.x.x.x (x.x.x.x) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: x.x.x.x
> Accept: */*
>
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Empty reply from server
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connection #0 to host x.x.x.x left intact

curl: (52) Empty reply from server
* Closing connection #0

This is accessing a domain with http

* About to connect() to test.example.com port 80 (#0)
*   Trying x.x.x.x... connected
* Connected to test.example.com (x.x.x.x) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: test.example.com
> Accept: */*
>
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Empty reply from server
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connection #0 to host test.example.com left intact

curl: (52) Empty reply from server
* Closing connection #0

I was just testing with apache ab, and got on the https url this

SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).

If you want to redirect you need a frontend in mode http.

You also have SNI routing there in the same frontend (which needs mode tcp). Assuming you get SSL traffic on $PORT2 (and that’s what the SNI routing is for) you need to divide the two:

frontend http
  mode http
  bind 0.0.0.0:80
  redirect scheme https code 301 if !{ ssl_fc }

frontend https
  mode tcp
  bind 0.0.0.0:"$PORT2"
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend _recir_webchat if { req_ssl_sni -i webchat.example.com }
  use_backend _recir_synapse if { req_ssl_sni -i riot.example.com }

You did not share your default section, so I just explicitly declared mode http and mode tcp respectively.

Yes that solved it indeed! Thanks