Consult for redirecting http to https

Help!
1

Hi,

I am trying to redirecting http traffic to https via HA-proxy 2.2.3 and here is my config:

frontend    simple_webapp    
    mode    http
    bind    *:5006
    bind    *:5443  ssl crt /root/Downloads/simple_webapp_all.pem
    http-request redirect scheme https unless { ssl_fc }
    default_backend simple_webapp

backend simple_webapp
    balance     roundrobin
    server	    centos8-1 <server ip>:5006	check 
    server	    centos8-2 <server ip>:5006	check

If I typed https://:5443 in the chrome, it will go to the backend page successfully. However, if I used http://:5006 instead, Chrome will post error “ERR_SSL_PROTOCOL_ERROR”.

Please correct me if there is any incorrect config.

Thanks.

2

Presumably because it redirects to https://host/ instead of https://host:5443/ , and port 443 is not what you want.

You will need something like:

http-request redirect prefix   https://mysite.com:5443 unless { ssl_fc }
3

Hi Lukas,

Thanks for the reply.

Though I changed the port from 5443 to 443, it still failed with the same error.

I modified the config per your suggestion, still no luck.

4

Are you sure only haproxy runs once (not multiple instances, check you ps output) and nothing else listens on those ports?

I suggest you run curl -vv http://host/ against the HTTP port and look where it redirects to.

5

Hi Lukas,

Here is the output:

[root@centos8 ssl]# ps -ef | grep haproxy
root        4079       1  0 Sep17 ?        00:00:03 /usr/sbin/haproxy -sf 23631 -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid
haproxy    23882    4079  0 16:04 ?        00:00:00 /usr/sbin/haproxy -sf 23631 -Ws -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid

[root@centos8 ssl]# netstat -tlnp | grep 5443
tcp        0      0 0.0.0.0:5443            0.0.0.0:*               LISTEN      23882/haproxy
[root@centos8 ssl]# netstat -tlnp | grep 5006
tcp        0      0 0.0.0.0:5006            0.0.0.0:*               LISTEN      23882/haproxy

[root@centos8 ssl]# curl -vv http://192.168.209.133:5006
* Rebuilt URL to: http://192.168.209.133:5006/
*   Trying 192.168.209.133...
* TCP_NODELAY set
* Connected to 192.168.209.133 (192.168.209.133) port 5006 (#0)
> GET / HTTP/1.1
> Host: 192.168.209.133:5006
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 302 Found
< content-length: 0
< location: https://192.168.209.133:5006/
< cache-control: no-cache
<
* Connection #0 to host 192.168.209.133 left intact

[root@centos8 ssl]# curl -vv https://192.168.209.133:5443
* Rebuilt URL to: https://192.168.209.133:5443/
*   Trying 192.168.209.133...
* TCP_NODELAY set
* Connected to 192.168.209.133 (192.168.209.133) port 5443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
6

Yeah, this is completely wrong. HTTP port 5006 redirects to the same port (5006), but on HTTPS. It doesn’t work that way.

Can share the actual configuration?

7

Hi Lukas,

Sure thing, here it is:

# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   https://www.haproxy.org/download/1.8/doc/configuration.txt
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon
    tune.ssl.default-dh-param 2048

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

    # utilize system-wide crypto-policies
    ssl-default-bind-ciphers PROFILE=SYSTEM
    ssl-default-server-ciphers PROFILE=SYSTEM

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend    monitor
    bind    *:81
    stats   uri /haproxy    

frontend    simple_webapp    
    mode    http
    bind    *:5006
    bind    *:5443  ssl crt /root/Downloads/simple_webapp_all.pem
    http-request redirect scheme https unless { ssl_fc }

    default_backend simple_webapp
#---------------------------------------------------------------------
# static backend for serving up images, stylesheets and such
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend simple_webapp
    balance     roundrobin
    server	    centos8-1 192.168.209.134:5006	check 
    server	    centos8-2 192.168.209.135:5006	check
8

That’s the original wrong configuration. Remove:

http-request redirect scheme https unless { ssl_fc }

and add:

http-request redirect prefix  https://192.168.209.133:5443 unless { ssl_fc }

and then provide the output of curl -vv http://host/ again.

9

Hi Lukas,

Here is the output after updating:

[root@centos8 ssl]# curl -vv http://192.168.209.133:5006
* Rebuilt URL to: http://192.168.209.133:5006/
*   Trying 192.168.209.133...
* TCP_NODELAY set
* Connected to 192.168.209.133 (192.168.209.133) port 5006 (#0)
> GET / HTTP/1.1
> Host: 192.168.209.133:5006
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 302 Found
< content-length: 0
< location: https://192.168.209.133:5443/
< cache-control: no-cache
<
* Connection #0 to host 192.168.209.133 left intact
[root@centos8 ssl]# curl -vv https://192.168.209.133:5443
* Rebuilt URL to: https://192.168.209.133:5443/
*   Trying 192.168.209.133...
* TCP_NODELAY set
* Connected to 192.168.209.133 (192.168.209.133) port 5443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
10

Redirect works fine.

11

Hi Lukas,

Right, the output of curl looks good but from the Chrome issue kept still with error as below:

# This site can’t provide a secure connection

**192.168.209.133** sent an invalid response.

* [Try running Windows Network Diagnostics](javascript:diagnoseErrors()).

ERR_SSL_PROTOCOL_ERROR
12

Btw, once I changed the http port from 5006 to 80 and https port from 5443 to 443, everything is normal. However, I am not able to use the default one. :frowning:

13

I have no clue why this happens. Does it work in Firefox or other browsers?

14

I tried, like Firefox, it posted error like:
SSL_ERROR_RX_RECORD_TOO_LONG

15

Interesting part is, once I changed the port from 5006 to others, not only 80 or 8080, the redirection works. Not sure if there is any limitation on 5006(dedicated for wsm server).