HAProxy community

SSL Redirect - Chained Proxies via Proxy Protocol

Hello,

iam running two haproxy instances which talk over the proxy procol.
(Proxy-A and Proxy-B).

If the request was made via http i want to redirect the request on Proxy-B.

http-request redirect scheme https code 301 if domain_name !{ ssl_fc } 

The problem is now that this config piece does not work when i include the !{ ssl_fc } parameter. If i remove this one the redirect works but it of course ends in a redirect loop.

My thoughts are that this is because of the proxy protocol or the chained proxy scenario.

Config Proxy-A

frontend proxy_a
    bind 0.0.0.0:80
    bind 0.0.0.0:443 ssl crt /usr/local/etc/haproxy/ssl/ alpn h2,http/1.1
    mode http
    use_backend domain_a if { hdr(host) domain-a.net }

backend domain_a
    server domain_a_server server:2400 check ssl verify none send-proxy init-addr last,libc,none 

Config Proxy-B

frontend domain_a
    bind 0.0.0.0:2400 ssl crt /usr/local/etc/haproxy/ssl/ accept-proxy

    # Domains ACL match to Host Header
   acl domain_a hdr(host) -i domain-a.net
   http-request redirect scheme https code 301 if domain_a !{ ssl_fc }

Short update.

I made a workaround by setting the following on Proxy-A

http-request set-header X-SSL %[ssl_fc]

and checking the value of it on Proxy-B

http-request redirect scheme https code 301 if { hdr_val(X-SSL) eq 0 }

The simplest solution is to just redirect in proxyA instead of proxyB.

Otherwise you need those workarounds.

You could also check whether the proxy protocol overwrites the dst_port, in that case you could match that:

http-request redirect scheme https code 301 if { dst_port 80 }