Hello,
i have a situation, which i believe to be quite typical actually:
A haproxy (1.5) shall be used as reverse proxy for ssl termination
for multiple webservice backends, which themselves are not able to HTTPS.
All backends with the same IP, but differing in their individual ports.
This works for me, but only if using 443 as the frontend port.
As soon as using a HTTPS port different from 443, the application starts to redirecting from “https://” to “http://”, while keeping the custom port.
E.g.:
- Request “https://10.10.0.3:834” gets redirected to “http://10.10.0.3:834/login” (bad).
- But “https://10.10.0.3:443” gets redirected to “https://10.10.0.3/login” (good).
I don’t know why, but believe this is a behaviour of the web application, which i unfortunately can’t change (closed source).
I now failed with forcing https by using the standard method:
- redirect scheme https if !{ ssl_fc }
- http-request redirect scheme https if ! { ssl_fc }
in the frontend section.
Apparently because it’s not a request that has to be redirected,
but the webapplication’s redirect, which will never trigger this rule.
The only option that seems to get triggered by the applications redirect is anything like
“redirect location”.
But does haproxy also offer means to make that also work with dynamic URLs?
But the fundamental question actually is:
*Why does the ssl-termination fail while using a custom SSL port, *
when the very same configuration works, if using a standard 443 ssl port?
Here my config:
global
log 127.0.0.1 local2
chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon
stats socket /var/lib/haproxy/stats
defaults
mode http
log global
option httplog
option dontlognull
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 10s
timeout queue 1m
timeout connect 10s
timeout client 1m
timeout server 1m
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
frontend server1
mode http
bind 10.10.0.3:8243 ssl crt /etc/ssl/certs/me.pem
#all my failing attempts
#redirect scheme https if !{ ssl_fc }
#http-request redirect scheme https unless { ssl_fc }
#http-request redirect scheme https code 301 if !{ ssl_fc }
#http-request redirect scheme https code 302 if !{ ssl_fc }
#redirect scheme https code 301 if !{ ssl_fc }
#redirect location https://10.10.0.3
#redirect location https://10.10.0.3:8243
#redirect prefix https://10.10.0.3:8243
#redirect prefix https://10.10.0.3
#redirect location https://%[hdr(host)]%[capture.req.uri]
default_backend server1
backend server1
mode http
server svr1 127.0.0.1:3838 check
From what i understand, the post
might be related, but i don’t understand, why haproxy would not be able to “change” the “http://” to “https://”?
It would be great if someone can give me a hint how to deal such a problem. I believe it should be a fairly typical situation?
Best