Backend redirecting https-termination to http


i have a situation, which i believe to be quite typical actually:
A haproxy (1.5) shall be used as reverse proxy for ssl termination
for multiple webservice backends, which themselves are not able to HTTPS.
All backends with the same IP, but differing in their individual ports.

This works for me, but only if using 443 as the frontend port.
As soon as using a HTTPS port different from 443, the application starts to redirecting from “https://” to “http://”, while keeping the custom port.


I don’t know why, but believe this is a behaviour of the web application, which i unfortunately can’t change (closed source).

I now failed with forcing https by using the standard method:

  • redirect scheme https if !{ ssl_fc }
  • http-request redirect scheme https if ! { ssl_fc }

in the frontend section.
Apparently because it’s not a request that has to be redirected,
but the webapplication’s redirect, which will never trigger this rule.

The only option that seems to get triggered by the applications redirect is anything like
“redirect location”.
But does haproxy also offer means to make that also work with dynamic URLs?

But the fundamental question actually is:
*Why does the ssl-termination fail while using a custom SSL port, *
when the very same configuration works, if using a standard 443 ssl port?

Here my config:

    log local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/
    maxconn     4000
    user        haproxy
    group       haproxy

    stats socket /var/lib/haproxy/stats

    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

frontend server1
  mode http
  bind ssl crt /etc/ssl/certs/me.pem

#all my failing attempts
#redirect scheme https if !{ ssl_fc }
#http-request redirect scheme https unless { ssl_fc }
#http-request redirect scheme https code 301 if !{ ssl_fc }
#http-request redirect scheme https code 302 if !{ ssl_fc }
#redirect scheme https code 301 if !{ ssl_fc }
#redirect location
#redirect location
#redirect prefix
#redirect prefix
#redirect location https://%[hdr(host)]%[capture.req.uri]

default_backend server1

backend server1
mode http
server svr1 check

From what i understand, the post

HAProxy 1.8 does not redirect all http to https

might be related, but i don’t understand, why haproxy would not be able to “change” the “http://” to “https://”?

It would be great if someone can give me a hint how to deal such a problem. I believe it should be a fairly typical situation?