HAProxy community

SSL offloading not working for website that is reverting to HTTP

Hi all.

I am using HAProxy to facilitate connections to various web management tools for various aspects of my network. I have a frontend listening on 443 which is doing SSL offloading and pushing connections through to various backends on 80/HTTP. I use certs on the frontend to present a secure connection.

This works well for every site, bar one (Zyxel NWA1123-AC access point). I can get to the logon page on HTTPS which is presented with the valid cert from HAProxy, but as soon as I login I get a 404 not found error from NGINX (from pfSense hosting the HAProxy package). The URL seems to be changing to HTTP so it’s no wonder I’m getting this error as I have no listener on that port. It looks like the Zyxel is actually trimming HTTPS from the URL as it probably thinks the connection is plain HTTP because that is what is coming from HAProxy.

Does anyone have any suggestions as to what I can do to provide the access? I’ve got my config below. It’s the ap backend that is giving me grief!

Any help would be much appreciated!

global
	maxconn			10000
	stats socket /tmp/haproxy.socket level admin 
	uid			80
	gid			80
	nbproc			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	tune.ssl.default-dh-param	2048
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:2200 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats show-legends
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend fe_mgt_443
	bind			10.1.0.1:443 name 10.1.0.1:443   ssl crt-list /var/etc/haproxy/fe_mgt_443.crt_list  
	mode			http
	log			global
	option			http-server-close
	timeout client		30000
	acl			ap	var(txn.txnhost) -m str -i ap.domain.com
	acl			switch	var(txn.txnhost) -m str -i switch.domain.com
	acl			sense	var(txn.txnhost) -m str -i sense.domain.com
	http-request set-var(txn.txnhost) hdr(host)
	use_backend ap_ipvANY  if  ap 
	use_backend switch_ipvANY  if  switch 
	use_backend sense_ipvANY  if  sense 

backend ap_ipvANY
	mode			http
	id			100
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk GET / 
	server			ap.domain.com 10.1.0.3:80 id 101 check inter 10000  

backend switch_ipvANY
	mode			http
	id			102
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	server			switch.domain.com 10.1.0.2:80 id 103 check inter 1000  

backend sense_ipvANY
	mode			http
	id			104
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk GET / 
	server			sense.domain.com 10.1.0.1:80 id 101 check inter 10000

Although there is a slim chance of working especially with WebUI’s of “hardware” appliances, but you could try to set the header X-Forwarded-Proto: https.

Failing that, the only other chance you have is to just listen on port 80 and redirect from there.

Alternatively, if you end-up on HTTP due to a redirect, you can rewrite the Location header to include https://.