Is regex replace the only option for HTTPS termination redirects?

I have a setup where I use HAProxy for load balancing and HTTPS termination. I only allow HTTPS connections and therefore HAProxy returns redirects for all HTTP connections. However, the chain of events was as follows when an unauthenticated HTTPS connection arrives:

  • HAProxy terminates the HTTPS connection and passes it as an HTTP connection to a backend
  • backend returns HTTP 302 to HAProxy which returns it to the original caller

The problem was that the returned HTTP 302 contained location line as follows:

Location: http://localhost/login

It’s not HTTPS. This makes sense since backend (Spring and Spring Security) isn’t aware of the HTTPS connection to HAProxy. It’s also not much of a problem because once the caller calls HAProxy with the URL HAProxy will merely send another redirect to the HTTPS equivalent URL. It just feels stupid. The only option that I found was adding the following to HAProxy configuration:

rspirep ^Location:\ http://(.*)  Location:\ https://\1 if  { ssl_fc }

Is this really the only option? Since the HTTP to HTTPS redirect is handled in a much more elegant fashion I suspect that there’s something I don’t know.

The proper way to address this is to set a specific header informing your backend that this the transaction is SSL encrypted, so it can generate the correct redirects/links because it is aware whether or not the request came in SSL encrypted.

I guess I’ll give this another shot. I tried to get Tomcat do this but it didn’t. Maybe I got something wrong.