Again redirect http 80 to https 443

f1outsourcing · August 13, 2020, 9:17pm

I am using haproxy 2.2 and tried several redirects also the below with http-request as mentioned here[1] and splitting this into 2 different frontends.

Currently I am having configured as from:

frontend https
  bind 0.0.0.0:80
  redirect scheme https code 301 if !{ ssl_fc }
  bind 0.0.0.0:"$PORT2"

Logs are showing this

https https/<NOSRV> -1/-1/1 0 SC 4/2/0/0/0 0/0
https https/<NOSRV> -1/-1/0 0 SC 4/2/0/0/0 0/0
https https/<NOSRV> -1/-1/0 0 SC 4/2/0/0/0 0/0
https https/<NOSRV> -1/-1/0 0 SC 13/11/0/0/0 0/0
https https/<NOSRV> -1/-1/0 0 SC 9/7/0/0/0 0/0
https https/<NOSRV> -1/-1/0 0 SC 4/2/0/0/0 0/0
https https/<NOSRV> -1/-1/0 0 SC 4/2/0/0/0 0/0

If I just type test.example.com in the browser, I do not seem to end up at https://test.example.com

If I just type https://test.example.com in the browser, I am getting a the correct page. ( actually redirected to https://test.example.com/path/path/

[1]

lukastribus · August 14, 2020, 9:43am

Please post the entire configuration, and the output of a curl -vv call.

f1outsourcing · August 16, 2020, 2:29pm

This is part of config , I do not have any other fronted with a port 80 bind. I assume it is related to redirecting based on sni.

frontend https
  bind 0.0.0.0:80
  redirect scheme https code 301 if !{ ssl_fc }

  bind 0.0.0.0:"$PORT2"
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend _recir_webchat if { req_ssl_sni -i webchat.example.com }
  use_backend _recir_synapse if { req_ssl_sni -i riot.example.com }
  ...


backend _recir_webchat
  server loopback-for-tls abns@webchat send-proxy-v2
backend _recir_synapse
  server loopback-for-tls abns@synapse send-proxy-v2
backend _recir_test
...


frontend webchat
  #bind 0.0.0.0:8080
  #bind 0.0.0.0:443 ssl crt webchat.example.com.pem
  bind abns@webchat accept-proxy ssl crt webchat.example.com.pem
  mode http
  ...
  

frontend synapse
  #bind 0.0.0.0:8080
  #bind 0.0.0.0:443 ssl crt element.example.com.pem
  bind abns@synapse accept-proxy ssl crt riot.example.com.pem
  mode http
  ...

This is just accessing the ip on http

* About to connect() to x.x.x.x port 80 (#0)
*   Trying x.x.x.x... connected
* Connected to x.x.x.x (x.x.x.x) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: x.x.x.x
> Accept: */*
>
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Empty reply from server
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connection #0 to host x.x.x.x left intact

curl: (52) Empty reply from server
* Closing connection #0

This is accessing a domain with http

* About to connect() to test.example.com port 80 (#0)
*   Trying x.x.x.x... connected
* Connected to test.example.com (x.x.x.x) port 80 (#0)
> GET / HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.44 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: test.example.com
> Accept: */*
>
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Empty reply from server
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* Connection #0 to host test.example.com left intact

curl: (52) Empty reply from server
* Closing connection #0

f1outsourcing · August 16, 2020, 2:50pm

I was just testing with apache ab, and got on the https url this

SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).
SSL handshake failed (5).

lukastribus · August 16, 2020, 7:07pm

If you want to redirect you need a frontend in mode http.

You also have SNI routing there in the same frontend (which needs mode tcp). Assuming you get SSL traffic on $PORT2 (and that’s what the SNI routing is for) you need to divide the two:

frontend http
  mode http
  bind 0.0.0.0:80
  redirect scheme https code 301 if !{ ssl_fc }

frontend https
  mode tcp
  bind 0.0.0.0:"$PORT2"
  tcp-request inspect-delay 5s
  tcp-request content accept if { req_ssl_hello_type 1 }
  use_backend _recir_webchat if { req_ssl_sni -i webchat.example.com }
  use_backend _recir_synapse if { req_ssl_sni -i riot.example.com }

You did not share your default section, so I just explicitly declared mode http and mode tcp respectively.

f1outsourcing · August 16, 2020, 8:33pm

Yes that solved it indeed! Thanks

Topic		Replies	Views
Simple method for doing http -> https frontend redirects in HAProxy? Help!	1	4399	January 26, 2018
Cannot get "redirect scheme" to work in backend section Help!	7	2328	March 13, 2017
SSL Redirect - Chained Proxies via Proxy Protocol Help!	2	485	July 3, 2020
Haproxy redirections with ssl Help!	1	873	April 26, 2017
Simple URL redirect Help!	0	369	October 3, 2021

Again redirect http 80 to https 443

Related topics