HTTPS redirect does not work


I’m trying to do a very simple HTTP to HTTPS redirect. I’ve been able to do this with Traefik, so I know what I am trying is possible, but I cannot get HAProxy to do it.

I want to accept connections on port 8443, using SSL with a self signed cert, and forward to a backend on port 8000. This works if I use https://localhost:8443.

I have attempted to set up the redirects in several different ways to redirect http://localhost:8443 to https. This never works.

HAProxy 2.9.6 running in docker.

Here is my config:

# haproxy.cfg
  log stderr format raw local0

  log global
  option httplog
  mode http
  timeout client 10s
  timeout connect 5s
  timeout server 10s 
  timeout http-request 10s

frontend http
  mode http
  bind :8443 ssl crt /certs/server.pem
  http-request redirect scheme https code 301 if !{ ssl_fc }
  # http-request redirect scheme https if !{ ssl_fc }
  use_backend myservers

backend myservers
  mode http
  server server1 host.docker.internal:8000

I have searched high and low, and tried multiple difference constructions of the http-request redirect. I’m using curl for testing: curl -vvk http://localhost:8443

HAProxy logs an SSL error:
haproxy | [06/Mar/2024:18:20:13.511] http/1: SSL handshake failure (error:0A00009C:SSL routines::http request)

And curl response is:

*   Trying
* Connected to localhost ( port 8443 (#0)
> GET / HTTP/1.1
> Host: localhost:8443
> User-Agent: curl/7.68.0
> Accept: */*
* Empty reply from server
* Connection #0 to host localhost left intact
curl: (52) Empty reply from server

I have spent hours trying to figure this out, and it just doesn’t work. My other server using Traefik does this with no problems, so I know that a basic http to https redirect should work in theory.

What am I missing here? It doesn’t seem like it should be this difficult, but I’m 4 hours in and can’t get this to work.

Frankly, I find Traefik to be very fussy and difficult to configure, and I don’t really need the dynamic configuration so much that it is worth dealing with it. It was looking like HAProxy might be easier overall to deal with, but now I’m not so sure. Traefik may be fussy, but it can do an http to https redirect.

I cannot imagine this is an actual bug. But how do you actually get this to work?