Routing 443 and 80 to correct ports on target

Hi all.

I want to receive connections into a frontend on ports 443 and 80 - this bit is OK and it’s working. This frontend send requests to multiple backends - all OK so far…

My problem is this - on one backend I want to send traffic that comes in on port 443 to the target server on 443 and the same for pot 80 traffic. I’ve included a snippet from the config below - the backend bk_finance.contoso.ie is the one I’m trying to configure. The other two are as examples only…

Ideally, I don’t want to make changes to the existing frontend.

Thanks

frontend ft_live_extranets
bind 10.6.6.20:80
bind 10.6.6.20:88
bind 10.6.6.20:443 name ssl_frontend_extranet.acme.ie ssl crt wc_acme crt contoso no-sslv3
mode http
log global # use global log parameters
option httplog
capture request header host len 64
capture request header user-agent len 64
acl is_ssl ssl_fc
http-request set-header X-Forwarded-Proto https if is_ssl
http-request set-header X-Forwarded-Proto http unless is_ssl
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%sslv/%sslc/%[ssl_fc_sni]/%[ssl_fc_session_id,hex]}\ "%[capture.req.method]\ %[capture.req.hdr(0)]%[capture.req.uri]\ %[capture.req.ver]"
maxconn 1000 # max conn per instance
use_backend bk_%[req.hdr(host),lower]

backend bk_extranet.acme.ie
cookie SERVERID insert indirect nocache # persistence cookie
option httpchk GET / HTTP/1.0\r\nHost:\ extranet.acme.ie
#http-check expect string Extranet
option tcp-check
server AcmeWebServer01 10.1.1.1:80 maxconn 1000 weight 10 cookie s2 check
server AcmeWebServer02 10.1.1.2:80 maxconn 1000 weight 10 cookie s3 check

backend bk_www.contoso.ie
cookie SERVERID insert indirect nocache # persistence cookie
option httpchk GET / HTTP/1.0\r\nHost:\ extranet.contoso.ie
option tcp-check
server ContosoWebServer01 10.1.2.1:80 maxconn 1000 weight 10 cookie s2 check
server ContosoWebServer02 10.1.2.2:80 maxconn 1000 weight 10 cookie s3 check

backend bk_finance.contoso.ie
mode http
balance source
option tcp-check
default-server slowstart 0 inter 10s rise 2 fall 3 # servers default parameters
server FinanceBroker01 10.6.6.5:80 maxconn 1000 weight 10 cookie s3 check
server FinanceBroker01 10.6.6.5:443 maxconn 1000 weight 10 cookie s3 check
acl is_ssl ssl_fc
http-request redirect scheme https code 301 if !is_ssl

Replicate your front and backends dedicating them to either plaintext HTTP or SSL.

This is wrong. It will send plaintext HTTP to port 443 on 10.6.6.5.

So, something like this:

frontend ft_live_extranets_http
bind 10.6.6.20:80
bind 10.6.6.20:88
mode http
log global # use global log parameters
.
.
.
use_backend bk_http_%[req.hdr(host),lower]

frontend ft_live_extranets_https
bind 10.6.6.20:443 name ssl_frontend_extranet.acme.ie ssl crt wc_acme crt contoso no-sslv3
mode http
log global # use global log parameters
.
.
use_backend bk_https_%[req.hdr(host),lower]

backend bk_http_finance.contoso.ie
mode http
balance source
option tcp-check
default-server slowstart 0 inter 10s rise 2 fall 3 # servers default parameters
server FinanceBroker01 10.6.6.5:80 maxconn 1000 weight 10 cookie s3 check

backend bk_https_finance.contoso.ie
mode http
balance source
option tcp-check
default-server slowstart 0 inter 10s rise 2 fall 3 # servers default parameters
server FinanceBroker01 10.6.6.5:443 maxconn 1000 weight 10 cookie s3 check

That’s exactly right, yes.