I have a setup where I use HAProxy for load balancing and HTTPS termination. I only allow HTTPS connections and therefore HAProxy returns redirects for all HTTP connections. However, the chain of events was as follows when an unauthenticated HTTPS connection arrives:
- HAProxy terminates the HTTPS connection and passes it as an HTTP connection to a backend
- backend returns HTTP 302 to HAProxy which returns it to the original caller
The problem was that the returned HTTP 302 contained location line as follows:
Location: http://localhost/login
It’s not HTTPS. This makes sense since backend (Spring and Spring Security) isn’t aware of the HTTPS connection to HAProxy. It’s also not much of a problem because once the caller calls HAProxy with the URL HAProxy will merely send another redirect to the HTTPS equivalent URL. It just feels stupid. The only option that I found was adding the following to HAProxy configuration:
rspirep ^Location:\ http://(.*) Location:\ https://\1 if { ssl_fc }
Is this really the only option? Since the HTTP to HTTPS redirect is handled in a much more elegant fashion I suspect that there’s something I don’t know.