Force http to https


#1

Hi Team,

I’m trying to force https on my test website. I have the following config “haproxy > Nginx > Tomcat”. However whenever I add “redirect scheme https if !{ ssl_fc }” to force https my login stops. Currently, both http and https are working well individually. The following is my configuration. I have separate frontend & backend for http and https. Not sure where I am going wrong. Please help!!

frontend http-test-80
bind 192.168.1.10:80
mode http
reqadd X-Forwarded-Proto:\ http

    redirect scheme https if !{ ssl_fc }

    acl host_test80 hdr(host) -i test.zahid.com
    use_backend static_test if host_test80

    acl host_test80 hdr(host) -i static1.test.zahid.com
    use_backend static_test if host_test80

backend static_test
balance roundrobin
option httpclose
option forwardfor
cookie static insert indirect nocache
option httpchk HEAD /LoadBalancer_HealthCheck.php HTTP/1.0
server stat-test 192.168.1.20:80 cookie mpstatic1 check

=================================================================================
frontend http-test-443
bind 192.168.1.10:443 ssl crt /etc/haproxy/certs/test.zahid.com/test.zahid.com.pem
reqadd X-Forwarded-Proto:\ https

    acl host_test443_secure hdr(host) -i test.zahid.com
    use_backend static_test_secure if host_test443_secure

    acl host_test443_secure hdr(host) -i static1.test.zahid.com
    use_backend static_test_secure if host_test443_secure

backend static_test_secure
balance roundrobin
option httpclose
option forwardfor
redirect scheme https if !{ ssl_fc }
cookie static insert indirect nocache
option httpchk HEAD /LoadBalancer_HealthCheck.php HTTP/1.0
server stat-test-secure 192.168.1.20:80 cookie mpstatic2 check

Best Regards,
Zahid


#2

Do you have multiple backend servers or is there just one, as per the configuration you provided?

I suggest you use the same backend for both frontends. Especially the fact the same server has a different cookie value is problematic.


#3

Hi lukastribus,

Thanks for your reply!!

No just one backend server (nginx).

Okay so if I use same backend for both frontends then should my config look like the following. Please correct me if any config mistakes:

frontend http-test-80
bind 192.168.1.10:80
mode http
reqadd X-Forwarded-Proto:\ http

redirect scheme https if !{ ssl_fc }

acl host_test80 hdr(host) -i test.zahid.com
use_backend static_test_secure if host_test80

acl host_test80 hdr(host) -i static1.test.zahid.com
use_backend static_test_secure if host_test80

=================================================================================

frontend http-test-443
bind 192.168.1.10:443 ssl crt /etc/haproxy/certs/test.zahid.com/test.zahid.com.pem
reqadd X-Forwarded-Proto:\ https

acl host_test443_secure hdr(host) -i test.zahid.com
use_backend static_test_secure if host_test443_secure

acl host_test443_secure hdr(host) -i static1.test.zahid.com
use_backend static_test_secure if host_test443_secure

backend static_test_secure
balance roundrobin
option httpclose
option forwardfor
redirect scheme https if !{ ssl_fc }
cookie static insert indirect nocache
option httpchk HEAD /LoadBalancer_HealthCheck.php HTTP/1.0
server stat-test-secure 192.168.1.20:80 cookie mpstatic1 check


#4

Then why do you configure roundrobin, heatlh checks and cookie stickiness? That makes no sense with only one backend server.

Elaborate what that means exactly please.


#5

Hi lukastribus,

Actually, earlier I was using two servers in backend and hence the settings you’ve pointed out but now i’ve decided to continue with only one backend server and I haven’t disturbed the earlier settings.

Best Regards,
Zahid


#6

Hi lukastribus,

I’ve disabled roundrobin, heatlh checks and cookie stickiness but still i’m unable to login. once I remove “redirect scheme https if !{ ssl_fc }” from port 80 frondend i am able to login.

Best Regards,
Zahid