Apache Creating Non HTTPS Link When Using SSL Termination


#1

HAProxy noob here! Setup has been straight forward so far, but I have one issue I can not seem to solve. I am using SSL Termination with HAProxy and have that working. But, the Apache backends are creating non HTTPS links when serving pages, causing browsers to note something is up. I have thrown the sink at it so far, with no luck. Version is: HA-Proxy version 1.8.13-1ppa1~bionic 2018/08/01

Current config file:

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
ssl-server-verify none
tune.ssl.default-dh-param 2048

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend www-http
bind *:80
bind *:443 ssl crt /etc/ssl/haproxy/XXXXXXX.pem

    option http-server-close
    http-request add-header X-Forwarded-Proto https
    http-request set-header X-SSL %[ssl_fc]
    http-response add-header Strict-Transport-Security max-age=31536000

    # Test URI to see if its a letsencrypt request
    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if letsencrypt-acl

    mode http
    default_backend apache

backend letsencrypt-backend
server letsencrypt 127.0.0.1:8888

backend apache
redirect scheme https if !{ ssl_fc }
mode http
balance roundrobin
option forwardfor
option httpclose
http-request add-header X-Forwarded-Proto https
http-request set-header X-SSL %[ssl_fc]
http-response add-header Strict-Transport-Security max-age=31536000

    server web1 cluster2-web-01:80
    server web2 cluster2-web-02:80

listen stats
bind :32700
stats enable
stats uri /
stats hide-version
stats auth XXX:XXX


#2

All you can do is to set the X-Forwarded-Proto header, which you already do. If the backend still ignores it, you probably need to set some flag in the backend application configuration.

There is not much you can do at haproxy layer though.


#3

I finally figured this out, in the case someone else is suffering from the same issue. The apps that sit on the backend are written in the Laravel PHP framework. I had to configure trusted proxies within the Laravel config and that fixed the issue.

https://laravel.com/docs/5.7/requests#configuring-trusted-proxies