Http redirect https + WebSocket + send clientIP

Configuration Samples
1

Hello!

I’ve faced with problem when tried to convert NGINX-configure to haproxy 2.3. The task is to redirect client from http:80 to https:443 and after success login switch HTTP to WebSocket. Also I have to send clientIP to backend via x-real-ip vs x-forwarded-for headers.
The websocket specific part of NGINX-config:

location / {
proxy_pass http://Farm;
proxy_http_version 1.1;
proxy_redirect off;
proxy_buffering off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
}

But I cannot reproduce right behavior with haproxy. I think because don’t understand some details in it. Could I ask a piece of advice how to solve my task?
My haproxy-config is:

frontend j38-fr
bind ip-add:80
mode http
redirect scheme https if !{ ssl_fc }
option forwardfor header X-Real-IP
option http-server-close
timeout tunnel 1h
use_backend Farm

backend bk_web
  balance roundrobin
  server websrv1  servIP:22088

I used this manual (Websockets Load Balancing With HAProxy) in my case.

When client tryes to switch http to websocket I get error at devtools in browser “WebSocket connection to ‘wss://example.loc/12345’ failed”

If I turn on mode tcp in frontend and backend section and try to connect to http://example.loc I see that http part works correct but when go to “example.loc/12345” (http switch to websocket mode) I receive the same error at devTools console of the browser → WebSocket connection to ‘wss://example.loc/12345’ failed"
Config here:

frontend j38-fr
bind ip-add:80
mode tcp
redirect scheme https if !{ ssl_fc }
option forwardfor header X-Real-IP
option http-server-close
timeout tunnel 1h
use_backend Farm

backend bk_web
  mode tcp
  balance roundrobin
  server websrv1  servIP:22088

In next case I added ssl options to frontend section (see config below). Now I manage to connect right. I don’t undestand how “bind ip-add:443 ssl crt file.pem” makes haproxy establish websocket in that case. Explain somebody, please :slight_smile:

frontend j38-fr
    bind ip-add:80
    bind ip-add:443 ssl crt file.pem
    mode tcp
    redirect scheme https if !{ ssl_fc }
    option forwardfor header X-Real-IP
    option http-server-close
    timeout tunnel 1h
    use_backend Farm

backend bk_web
  mode tcp
  balance roundrobin
  server websrv1  servIP:22088

Question about use X-Real-IP and X-Forwarded-fore still opens

2

Some extra info. I noticed when I use “mode http” then switching to WebSocket isn’t success. It happens because Haproxy rewrites headers to lower case. In case “mode tcp” there isn’t such problem. The headers pass to backend with Capital Letter and WebSocket activates correctly. Is this bug or I do something wrong? Please see the picture.

ws_issue
ws_issue1267×608 51.4 KB