HAProxy reverse proxy ssl frontend changes relative paths to absolute paths, why?


#1

Hi All,

When I view source on my website, I noticed that all my relative paths are replaced with absolute paths. I’d like to find out why this is happening and to figure out if this has something to do with my footer not showing up in the https version of my site.

http://www.nomura.ca (notice the footer on the bottom and all paths are relative)
https//www.nomura.ca (paths are now all absolute and the footer text is gone. Not sure if the two are related)

Here’s my haproxy.cfg. Hopefully someone can figure this out.

global
        log /dev/log    local0
        log /dev/log    local1 notice
#       chroot /var/lib/haproxy
        chroot /etc/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin
        stats timeout 30s
        user haproxy
        group haproxy
        daemon
        maxconn 50000
        tune.ssl.default-dh-param 2048

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
        ssl-default-bind-options no-sslv3 no-tlsv10
        lua-load /etc/haproxy/acme-http01-webroot.lua

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http
   option forwardfor
   option http-server-close

frontend www-http
        maxconn 50000
        bind 10.250.50.100:80
        reqadd X-Forwarded-Proto:\ http
# Rule to redirect to Lua plugin
        acl url_acme_http01 path_beg /.well-known/acme-challenge/
        http-request use-service lua.acme-http01 if METH_GET url_acme_http01
# Use the special non http to https forwarding backend if traffic from LE
        use_backend verification if url_acme_http01
        default_backend www-backend

frontend www-https
        maxconn 50000
        bind 10.250.50.100:443 ssl crt /etc/haproxy/certs/
        reqadd X-Forwarded-Proto:\ https
        default_backend https-backend

backend verification # does not redirect to https to allow verification to work with LE without errors
        option httpchk GET /
        http-check expect string alive
        server web1 10.250.30.1:80 check fall 3 rise 2
        server web2 10.250.30.2:80 check fall 3 rise 2
        server web3 10.250.30.3:80 check fall 3 rise 2
        server web4 10.250.30.4:80 check fall 3 rise 2
        server web5 10.250.30.5:80 check fall 3 rise 2
        server web6 10.250.30.6:80 check fall 3 rise 2
        server web7 10.250.30.7:80 check fall 3 rise 2
        server web8 10.250.30.8:80 check fall 3 rise 2
        server web9 10.250.30.9:80 check fall 3 rise 2
        server web10 10.250.30.10:80 check fall 3 rise 2

backend www-backend
        option httpchk GET /
        http-check expect string alive
#       redirect code to https below if http traffic is hitting the frontend
#       redirect scheme https if !{ ssl_fc }   # redirects https
        server web1 10.250.30.1:80 check fall 3 rise 2
        server web2 10.250.30.2:80 check fall 3 rise 2
        server web3 10.250.30.3:80 check fall 3 rise 2
        server web4 10.250.30.4:80 check fall 3 rise 2
        server web5 10.250.30.5:80 check fall 3 rise 2
        server web6 10.250.30.6:80 check fall 3 rise 2
        server web7 10.250.30.7:80 check fall 3 rise 2
        server web8 10.250.30.8:80 check fall 3 rise 2
        server web9 10.250.30.9:80 check fall 3 rise 2
        server web10 10.250.30.10:80 check fall 3 rise 2

backend https-backend
        option httpchk GET /
        http-check expect string alive
        server web1 10.250.30.101:443 check fall 3 rise 2 ssl verify none
        server web2 10.250.30.102:443 check fall 3 rise 2 ssl verify none
        server web3 10.250.30.103:443 check fall 3 rise 2 ssl verify none
        server web4 10.250.30.104:443 check fall 3 rise 2 ssl verify none
        server web5 10.250.30.105:443 check fall 3 rise 2 ssl verify none
        server web6 10.250.30.106:443 check fall 3 rise 2 ssl verify none
        server web7 10.250.30.107:443 check fall 3 rise 2 ssl verify none
        server web8 10.250.30.108:443 check fall 3 rise 2 ssl verify none
        server web9 10.250.30.109:443 check fall 3 rise 2 ssl verify none
        server web10 10.250.30.110:443 check fall 3 rise 2 ssl verify none

listen stats
        bind :9000
        mode http
        stats enable
#        stats hide-version
        stats show-node
        stats realm HAproxy-Statistics
        stats uri /haproxy_stats
        stats auth admin:************
        stats refresh 5s

#2

Haproxy doesn’t modify any HTTP payload, your backend application or server does.

If you don’t want your backend to be aware of the fact that the connection was made via SSL, remove the reqadd X-Forwarded-Proto:\ https configuration from your frontend.

But you really should fix your application instead.