My homelab is hosting a node.js app. I’m using the HAProxy package on pfSense. I’m wanting to use HAProxy for SSL offloading. The backend node.js, and it’s mongoDB are http. When a user goes into the site there are warnings about ‘loading mixed (insecure) display content’, coming through from the app, and the padlock gives a warning that the connection is ‘not secure’ as result. they’re mostly linked with calls to the db.
This seems to be a common issue, but I’m struggling to grasp which option (for the frontend?) I need to add to solve this.
Would one of the http-request-header or http-resposne-header’ actions’ apply https to all responses coming out the backend server (I think that’s what I need to achieve)
Here’s my HAProxy config:
# Automaticaly generated, dont edit manually.
# Generated on: 2019-12-19 09:41
global
maxconn 100
stats socket /tmp/haproxy.socket level admin
uid 80
gid 80
nbproc 1
hard-stop-after 15m
chroot /tmp/haproxy_chroot
daemon
tune.ssl.default-dh-param 2048
server-state-file /tmp/haproxy_server_state
listen HAProxyLocalStats
bind 127.0.0.1:2200 name localstats
mode http
stats enable
stats admin if TRUE
stats show-legends
stats uri /haproxy/haproxy_stats.php?haproxystats=1
timeout client 5000
timeout connect 5000
timeout server 5000
frontend SpottingTrains_FE1
bind 192.168.1.100:443 name 192.168.1.100:443 ssl crt-list /var/etc/haproxy/SpottingTrains_FE1.crt_list
mode http
log global
option http-keep-alive
timeout client 30000
http-request add-header X-Forwarded-Proto https
acl aclcrt_SpottingTrains_FE1 var(txn.txnhost) -m reg -i ^www\.spottingtrains\.com(:([0-9]){1,5})?$
acl aclcrt_SpottingTrains_FE1 var(txn.txnhost) -m reg -i ^spottingtrains\.com(:([0-9]){1,5})?$
http-request set-var(txn.txnhost) hdr(host)
use_backend PengellyBeckett1_BE_ipvANY if aclcrt_SpottingTrains_FE1
backend PengellyBeckett1_BE_ipvANY
mode http
id 100
log global
timeout connect 30000
timeout server 30000
retries 3
option httpchk OPTIONS /
server pengellybeckettvm1 10.10.20.10:7331 id 101 check inter 1000