Http to https on same frontend port

Hi all,

I’m trying to set up HAproxy to send all http request to https follow the same link and port. For example:

http://exmple.local:9443 —> https://exmple.local:9443

Here is my configuration:

frontend example
bind *:9443 ssl crt /etc/haproxy/example.pem

Example app

acl is_example path -i -m beg /example
use_backend example_backend if is_example

backend example_backend
mode http
balance roundrobin
server example01 host:9443 check ssl verify none
server example02 host:9443 check ssl verify none
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }

In addiion, i have tried:

redirect scheme https code 301 if !{ ssl_fc }
http-request add-header X-Forwarded-Proto https

HAproxy version HA-Proxy version 2.1.4.
OS: Suse Ent. 15 SP1

Please, suggest configuration.

BR.

This will not work, don’t do it.

Well, i don’t think i have a choice. Let me explain my situation:

We have IBM Websphere application servers in the backend, listening on 9080 (http) and 9443 (https). I tried to use 443 in frontend and 9080 in backend and when I open the app on http://example.com\exampleapp i get https://example.com:9080\exampleapp and the app is not working. I can’t find what is the problem for this behavior and how to get past it (i think is the application problem, but I’m not sure).

BR.

Your assumption that putting everything in one port will solve those issues are wrong.

If the backend redirects, you either try to configure haproxy the same, or configure your backend so it does the proper redirects with correct URLs.

Assuming the host port is not wrong also, to do the former you’d listen on port 9080 and forward to 9080 in HTTP, and 9443 to 9443 for HTTPS.

1 Like

We faced this same issue a while back where the IBM websphere app servers won’t redirect correctly. The Websphere redirects in a way where the app port is part of the redirect URL. What they suggest and we eventually did is to configure an IHS (IBM HTTPD server) in front of the app servers listening on port 443 and then communicating to backend app servers. The HAProxy will listen on port 443 for https and communicate to IHS backend on 443.

1 Like

Yeah i figured that, but i went without IHS and opened the application server ports (secured) as front-end on HAproxy side. Everything working fine and we are keeping the port in the URL.

Thank you all for posting.