HAProxy community

Redirecting http to https is not working

My domain web.bullten.work points to 51.255.140.203. I have set haproxy as load balancer to this IP but when I request http://web.bullten.work it doesnt get redirected to https://web.bullten.work

Below is my config

[root@haproxy ~]# cat /etc/haproxy/haproxy.cfg

global
log 127.0.0.1:514 local0
log 127.0.0.1:514 local1 notice
maxconn 1024
user haproxy
group haproxy
daemon
tune.ssl.default-dh-param 2048

defaults
log global
mode http
option tcplog
option dontlognull
retries 3
option redispatch
maxconn 1024
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms

listen mariadb_cluster_writes
bind *:13304

A failover pool for writes to ensure writes only hit one node at a time.

    mode tcp
    option httpchk
    server galera-node01 192.168.1.1:3306 check port 9200
    server galera-node02 192.168.1.2:3306 check port 9200 backup
    server galera-node03 192.168.1.3:3306 check port 9200 backup

listen mariadb_cluster_reads
bind *:13305

A load-balanced pool for reads to utilize all nodes for reads.

    mode tcp
    balance leastconn
    option httpchk
    server galera-node01 192.168.1.1:3306 check port 9200
    server galera-node02 192.168.1.2:3306 check port 9200
    server galera-node03 192.168.1.3:3306 check port 9200

#---------------------------------------------------------------------

FrontEnd Configuration

#---------------------------------------------------------------------
frontend main
bind *:80
mode http
redirect scheme https code 301 if !{ ssl_fc }

# Test URI to see if its a letsencrypt request
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend letsencrypt-backend if letsencrypt-acl

frontend main-https
bind *:443 ssl crt /etc/letsencrypt/live/web.bullten.work/web.bullten.work.pem alpn h2,http/1.1

default_backend app-main

LE Backend

backend letsencrypt-backend
server letsencrypt 127.0.0.1:8888

#---------------------------------------------------------------------

BackEnd roundrobin as balance algorithm

#---------------------------------------------------------------------
backend app-main
balance roundrobin #Balance algorithm
option httpchk HEAD / HTTP/1.1\r\nHost:\ localhost #Check the server application is up and healty - 200 status code
server nginx1 192.168.1.1:80 check #Nginx1
server nginx2 192.168.1.2:80 check #Nginx2
server nginx3 192.168.1.3:80 check #Nginx3

listen stats

HAProxy stats web gui.

    bind      :9000
    mode http
    stats enable
    stats uri /haproxy_stats
    stats realm HAProxy Statistics
    stats auth test:test
    stats admin if TRUE

Works fine for me:

$ curl -v dev.lan.ltri.eu/asdasd
*   Trying 10.0.0.33...
* TCP_NODELAY set
* Connected to dev.lan.ltri.eu (10.0.0.33) port 80 (#0)
> GET /asdasd HTTP/1.1
> Host: dev.lan.ltri.eu
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< content-length: 0
< location: https://dev.lan.ltri.eu/asdasd
<
* Connection #0 to host dev.lan.ltri.eu left intact

Two things I noticed:

  • since you have a dedicated frontend for port 80, you don’t have to make the redirect conditional on ssl_fc; it’s never HTTPS on this frontend anyway
  • you DO have to exclude let’s encrypt from the redirect, otherwise it will stop validating you.

So use:
redirect scheme https code 301 if !{ letsencrypt-acl }

If the redirect doesn’t work for you at all, then you probably have some problem elsewhere. Are you sure haproxy is running with that configuration. Can you stop haproxy completely, check for remaining hung haproxy process and then start it again, confirming only a single haproxy instance runs with the configuration you intent it to run?

Can you also provide the output of haproxy -vv?

1 Like

You were right two instance were running. Thanks for redirect tip too. Now everything is working fine… Again thank you so much :slight_smile:

2 Likes

I would say, use:
http-request redirect scheme https code 301 if !{ letsencrypt-acl }

tried but the error is below

[root@haproxy ~]# haproxy -c -V -f /etc/haproxy/haproxy.cfg
[ALERT] 349/044644 (17807) : parsing [/etc/haproxy/haproxy.cfg:50] : error detected in frontend ‘main’ while parsing ‘http-request redirect’ rule : error in condition: unknown fetch method ‘letsencrypt-acl’ in ACL expression ‘letsencrypt-acl’.
[ALERT] 349/044644 (17807) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg

Both proposal are actually wrong :slight_smile:

The { } is only needed for anonymous ACLs.

Use:
http-request redirect scheme https code 301 if ! letsencrypt-acl

compiled haproxy again and now getting error when using redirect rule

[root@haproxy ~]# haproxy -c -V -f /etc/haproxy/haproxy.cfg
[ALERT] 349/112248 (20827) : parsing [/etc/haproxy/haproxy.cfg:50] : error detected in frontend ‘main’ while parsing ‘http-request redirect’ rule : error in condition: no such ACL : ‘letsencrypt-acl’.
[ALERT] 349/112248 (20827) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg

Make sure letsencrypt-acl is defined before the http-request rule.

same error

[root@haproxy ~]# haproxy -c -V -f /etc/haproxy/haproxy.cfg
[ALERT] 350/121440 (32319) : parsing [/etc/haproxy/haproxy.cfg:52] : error detected in frontend ‘main’ while parsing ‘http-request redirect’ rule : error in condition: no such ACL : ‘letsencrypt-acl’.
[ALERT] 350/121440 (32319) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg

my bad I just copy pasted your line. Its letsencrypt_acl :slight_smile:

using above redirect is causing indefinite redirect to https.
The page isn’t redirecting properly