HTTPS redirect does not work

Sybren · May 16, 2025, 2:11pm

The issue described in the HAProxy community post revolves around an attempt to redirect HTTP traffic to HTTPS on port 8443 using HAProxy. The user has configured HAProxy to listen on port 8443 with SSL enabled and expects that HTTP requests to this port will be redirected to HTTPS. However, they encounter SSL handshake failures when testing with curl over HTTP.(HAProxy community, HAProxy Technologies)

Understanding the Problem:

The core of the problem lies in the configuration:

frontend http
  mode http
  bind :8443 ssl crt /certs/server.pem
  http-request redirect scheme https code 301 if !{ ssl_fc }
  use_backend myservers

Here, HAProxy is set to listen on port 8443 with SSL enabled (bind :8443 ssl crt /certs/server.pem). This means HAProxy expects SSL/TLS-encrypted connections on this port. However, when a client sends an unencrypted HTTP request to port 8443, HAProxy attempts to perform an SSL handshake, which fails because the client isn’t initiating an SSL/TLS connection. This results in the observed SSL handshake failure.(HAProxy community)

Solution:

To properly handle both HTTP and HTTPS traffic, you should configure HAProxy to listen on separate ports for each protocol:

HTTP on Port 8080 (or 80): This will handle unencrypted HTTP traffic and redirect it to HTTPS.
HTTPS on Port 8443 (or 443): This will handle encrypted HTTPS traffic.

Here’s how you can adjust your HAProxy configuration:(Netgate Forum)

frontend http_in
  bind *:8080
  mode http
  http-request redirect scheme https code 301

frontend https_in
  bind *:8443 ssl crt /certs/server.pem
  mode http
  default_backend myservers

backend myservers
  mode http
  server server1 host.docker.internal:8000

Explanation:

frontend http_in: Listens on port 8080 for HTTP traffic and redirects all requests to HTTPS on the same host.
frontend https_in: Listens on port 8443 for HTTPS traffic using the specified SSL certificate.
backend myservers: Forwards the decrypted HTTPS requests to the backend server running on port 8000.(HAProxy community)

Testing:

After updating the configuration:(HAProxy community)

Accessing http://localhost:8080 should redirect you to https://localhost:8443.(HAProxy community)
Accessing https://localhost:8443 should successfully connect to your backend server.

Additional Notes:

Ensure that both ports 8080 and 8443 are open and not blocked by any firewall rules.
If you prefer to use the standard HTTP and HTTPS ports (80 and 443), you can adjust the bind directives accordingly.
Remember that clients must initiate HTTPS connections on the port where SSL is enabled; HAProxy cannot perform SSL negotiation on behalf of the client if the client doesn’t initiate it.(OPNsense Forum)

By separating the HTTP and HTTPS traffic onto different ports and configuring HAProxy to handle each appropriately, you should achieve the desired redirection behavior without encountering SSL handshake errors.

ChatGPT can explain this better than I can. But this should help.

To add, you cannot run non ssl and ssl traffic on the same receiving port.(which is what you seem to be trying to do).

Topic		Replies	Views
Redirect http to https Help!	1	588	November 8, 2019
Redirecting HTTP to HTTPS Help!	3	7133	February 13, 2018
Only one port for http and https with ssl termination Help!	0	578	June 30, 2020
Cannot get "redirect scheme" to work in backend section Help!	7	2334	March 13, 2017
HTTPS redirection not working Help!	3	2413	October 15, 2019

HTTPS redirect does not work

Related topics