Handling http to an https site only (pfsense/haproxy)

I started a huge long post in the pfsense forums asking for help on this but so far, still not able to solve it.

The problem is that after a lot of messing around, I can now see the traffic hitting the web server.
However, all public clients get a 301 while LAN sided clients get to the web site.

One of my questions was in terms of building the web applications.
I need to have pfsense with acme handling the ssl cert then sending the traffic to haproxy.
All of the web apps were built using https, all urls, links, everything in their databases are https.

I have everything almost working but because the sites are built using https, even though the traffic is hitting the web server using http, the sites end up broken for clients, getting a 301.

I cannot really convert all of the sites to http only as that would break lots of things on the site that require them to be https.

I wondered how some of you are handling this kind of problem.

Figured haproxy would be the place to ask questions about haproxy :slight_smile:

Are you saying that the web applications send a 301 because haproxy connects to them via HTTP, but the clients actually connect via HTTPS, so you get infinite 301’s ?

There are different ways to solve this:

  • send X-Forwarded-Proto: https when haproxy is using HTTPS from the client:

    http-request set-header x-forwarded-proto %[ssl_fc,iif(https,http)]
    

    However this requires that your backend application is actually aware and respects this header. If it does, it will consider the connection HTTPS for all intends and purposes (no 301 redirect and correct URLs and cookie settings, etc)

  • you can also just reencrypt the traffic with HTTPS. In this case your web application just gets a normal HTTPS connect from haproxy, while the certificate in the browser is still the certificate configured in haproxy. Because you are on the LAN, you can disable certificate validation of the backend servers:

    server www1 192.168.1.50:443 ssl verify none
    

I’d prefer option 1, because then you can also send things like X-Forwarded-For with the IP address of the client. Otherwise your application always sees the IP of haproxy as oppossed to the public IP of the client. However it requires application support.

Hi,

I didn’t as my question so clearly perhaps.

First, working on this, I discovered a bug on pfsense (2.7.0) when configuring haproxy on that where no matter what I did, https traffic was being sent. I solved that by completely trashing my haproxy config and rebuilding it then it worked.

However, now that it’s sending http traffic, I’m not sure how to handle the back end, the web services because they have all been built using https. There are no http urls in the pages or in the databases.

Therefore, what keeps happening is that as soon as haproxy traffic reaches the web applications, the user gets a 301 and/or a looping redirect.

Not because there is one configured on the web service but because all of the urls are https.
The traffic comes in as http but all the links are https so nothing works.

I can’t rebuild all of the apps using https and some of them don’t even allow using http so how do people get around this problem?