Routing 443 and 80 to correct ports on target


#1

Hi all.

I want to receive connections into a frontend on ports 443 and 80 - this bit is OK and it’s working. This frontend send requests to multiple backends - all OK so far…

My problem is this - on one backend I want to send traffic that comes in on port 443 to the target server on 443 and the same for pot 80 traffic. I’ve included a snippet from the config below - the backend bk_finance.contoso.ie is the one I’m trying to configure. The other two are as examples only…

Ideally, I don’t want to make changes to the existing frontend.

Thanks

frontend ft_live_extranets
bind 10.6.6.20:80
bind 10.6.6.20:88
bind 10.6.6.20:443 name ssl_frontend_extranet.acme.ie ssl crt wc_acme crt contoso no-sslv3
mode http
log global # use global log parameters
option httplog
capture request header host len 64
capture request header user-agent len 64
acl is_ssl ssl_fc
http-request set-header X-Forwarded-Proto https if is_ssl
http-request set-header X-Forwarded-Proto http unless is_ssl
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_session_id,hex]}\ "%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\ %[capture.req.ver]"
maxconn 1000 # max conn per instance
use_backend bk_%[req.hdr(host),lower]

backend bk_extranet.acme.ie
cookie SERVERID insert indirect nocache # persistence cookie
option httpchk GET / HTTP/1.0\r\nHost:\ extranet.acme.ie
#http-check expect string Extranet
option tcp-check
server AcmeWebServer01 10.1.1.1:80 maxconn 1000 weight 10 cookie s2 check
server AcmeWebServer02 10.1.1.2:80 maxconn 1000 weight 10 cookie s3 check

backend bk_www.contoso.ie
cookie SERVERID insert indirect nocache # persistence cookie
option httpchk GET / HTTP/1.0\r\nHost:\ extranet.contoso.ie
option tcp-check
server ContosoWebServer01 10.1.2.1:80 maxconn 1000 weight 10 cookie s2 check
server ContosoWebServer02 10.1.2.2:80 maxconn 1000 weight 10 cookie s3 check

backend bk_finance.contoso.ie
mode http
balance source
option tcp-check
default-server slowstart 0 inter 10s rise 2 fall 3 # servers default parameters
server FinanceBroker01 10.6.6.5:80 maxconn 1000 weight 10 cookie s3 check
server FinanceBroker01 10.6.6.5:443 maxconn 1000 weight 10 cookie s3 check
acl is_ssl ssl_fc
http-request redirect scheme https code 301 if !is_ssl


#2

Replicate your front and backends dedicating them to either plaintext HTTP or SSL.

This is wrong. It will send plaintext HTTP to port 443 on 10.6.6.5.


#3

So, something like this:

frontend ft_live_extranets_http
bind 10.6.6.20:80
bind 10.6.6.20:88
mode http
log global # use global log parameters
.
.
.
use_backend bk_http_%[req.hdr(host),lower]

frontend ft_live_extranets_https
bind 10.6.6.20:443 name ssl_frontend_extranet.acme.ie ssl crt wc_acme crt contoso no-sslv3
mode http
log global # use global log parameters
.
.
use_backend bk_https_%[req.hdr(host),lower]

backend bk_http_finance.contoso.ie
mode http
balance source
option tcp-check
default-server slowstart 0 inter 10s rise 2 fall 3 # servers default parameters
server FinanceBroker01 10.6.6.5:80 maxconn 1000 weight 10 cookie s3 check

backend bk_https_finance.contoso.ie
mode http
balance source
option tcp-check
default-server slowstart 0 inter 10s rise 2 fall 3 # servers default parameters
server FinanceBroker01 10.6.6.5:443 maxconn 1000 weight 10 cookie s3 check


#4

That’s exactly right, yes.