Hello,
Before I begin let me just say that I am unable to provide the content of the config file, as most of it is not human readable because I am using the HAProxy plugin for OPNsense.
I have a server that is hosting multiple websites on different ports.
Schematic
ser.ver.com (website_A) --> HTTP --> :80 OPNsense --> noSSL --> :80 Server
ser.ver.com (website_A) --> HTTPS --> :443 OPNsense --> SSL --> :443 Server
ser.ver.com:8040 (website_B) --> HTTPS --> :8040 OPNsense --> noSSL --> :8040 Server
ser.ver.com:8080 (website_C) --> HTTPS --> :8080 OPNsense --> noSSL --> :8080 Server
ser.ver.com:8888 (website_D) --> HTTPS --> :8888 OPNsense --> SSL --> :8888 Server
Each port has a single frontend. The only difference is the port they are listening on and the rules attached to them.
frontend WAN2_HTTPS_frontend
http-response set-header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
bind 192.168.223.252:443 name 192.168.223.252:443 curves secp384r1 ssl no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA!RC4:!CAMELLIA:!AESCCM:!AES128:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS crt-list /tmp/haproxy/ssl/6037a492f395c5.28503768.certlist
mode http
option http-keep-alive
option forwardfor
# tuning options
timeout client 30s
Each port has a single frontend.
I already configured everything so I can access all the websites, but this only works if I put “https://” in front of the URL, f.e. by typing “https://ser.ver.com:8080” in my browser.
Until now I have been using an “HTTPtoHTTPS_Redirect_rule” on the HTTP_frontend, which works as shown below:
If
“Traffic is SSL (TCP request content inspection)_negated_condition” and “no_acme_challenge_condition”
== true
then
http-request redirect code 301 scheme https
I have been using this rule without any issues everytime I wanted to force the use of HTTPS on one of my services.
Now let’s get to my problem.
This rule works perfectly fine for hosts that have no “:Port” the end.
But it seems like if the access URL (f.e. http://ser.ver.com:8080) has a custom port at the end, the rule is not working the way it should.
Most browser don’t provide a useful error message, luckily Google Chrome does!
Accessing http://ser.ver.com:8080/ without redirect_rule in 8080_frontend --> ERR_EMPTY_RESPONSE
Accessing http://ser.ver.com:8080/ with redirect_rule in 8080_frontend --> ERR_EMPTY_RESPONSE
Accessing https://ser.ver.com:8080/ without redirect_rule in 8080_frontend --> WORKS
Accessing https://ser.ver.com:8080/ with redirect_rule in 8080_frontend --> ERR_TOO_MANY_REDIRECTS
I need the rule to just replace “http” with “https” so that the traffic is SSL encrypted but the port at the end is not removed / changed.
Thanks in advance.