HAproxy as SSL termination and backend jboss application


#1

Hi,
I would like to replace my current apache reverse proxy with haproxy.
I have defined 2 frontend section: http-input for incoming http requests and https-input for incoming https requests.
In this moment I have only java application as backend server, but in future I wuold like use haproxy to proxy request to IIS .
I have problem to redirect http request to https for some URL.
This is my haproxy confiration:
global
log 127.0.0.1 local2 debug

chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
daemon
ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
defaults
log global
mode http
option dontlognull
option httplog
option http-server-close
option forwardfor except 127.0.0.0/8
option redispatch
retries 3
timeout http-request 60s
timeout queue 1m
timeout connect 60s
timeout client 60s
timeout server 1m
timeout http-keep-alive 60s
timeout check 60s
maxconn 3000
frontend http-input
bind *:80
mode http
option http-server-close
reqadd X-Forwarded-Proto:\ http
redirect scheme https if { hdr(host) -i mywebsite.mydomain.com } !{ ssl_fc }
frontend https-input
bind *:443 ssl crt /etc/haproxy/cert/mycert.pem
mode http
option http-server-close
reqadd X-Forwarded-Proto:\ https
redirect prefix https://mywebsite.mydomain.com if { hdr(host) -i mywebsite.mydomain.com }
acl is_cu_hdr_nodoaric hdr(host) -i collaudo-wsnodo.aric.it
acl is_hdr_mywebsite hdr(host) -i mywebsite.mydomain.com
use_backend appserver1 if is_hdr_mywebsite

backend			appserver1
mode			http
option			httpclose
option			forwardfor
balance			roundrobin
cookie JSESSIONID prefix nocache
server			appserver1 appserver1.private.intra:8080 cookie appserver1 check inter 5000

In my log file I read this error:
localhost haproxy[17683]: 31.198.67.34:50543 [15/Dec/2017:15:11:37.320] https-input~ https-input/ 70/-1/-1/-1/70 302 151 - - LR-- 0/0/0/0/0 0/0 “GET /context2RA/ HTTP/1.1”

I have googled for 2 days and do not understand where is the problem! Please help me!
Thank you


#2

You can remove the “!{ ssl_fc }”, as you have a HTTP only frontend, the traffic will always be … not encrypted.

This configuration line here redirect to itself (same URL), makes no sense and causes endless redirects. Remove it, it will fix your endless redirect issue.


#3

Hi lukastribus,
I removed
!{ ssl_fc } from my http-input
and
redirect prefix https://mywebsite.mydomain.com if { hdr(host) -i mywebsite.mydomain.com }
now haproxy works fine!
Thank you!