Ssl redirection issue


#1

Hello ,
I’m a newbie in haproxy .
I’m trying to redirect some https (port 443) to another port number (7443) between the haproxy and the web-server .
I expect the user communicate with 443 port between his browser and the HA , then the HA use port 7443 between itself and the web-server. But what happens is that the url on the user browser is transformed to :7443

here is the haproxy.conf section

###---------------------------------------------------------------------

SSL passthrough

###---------------------------------------------------------------------

frontend proxy443_in
bind *:443
mode tcp
option tcplog
no option checkcache
no option httpclose
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
tcp-request content reject
use_backend sx-ocd.si.fr if { req_ssl_sni -i sx-ocd.si.fr }
use_backend sx-tst.si.fr if { req_ssl_sni -i sx-tst.si.fr }
default_backend proxy443_out
description Frontal TCP Reverse Proxy/Balancer port 443

backend sx-ocd.si.fr
mode tcp
server windhoek 172.16.211.9:443 maxconn 256 check
description SX Production

backend sx-tst.si.fr
mode tcp
server windhoek 172.16.211.9:7443 maxconn 256 check
description SX Base tst
#EOF


#2

This is your backend webserver redirecting.

Haproxy cannot insert any redirects in this configuration, as it only sees encrypted traffic.

I assume your backend server expects a header like:
Host: sx-ocd.si.fr:7443

But when the Browser connects to port 443 of haproxy, the browser will only send:
Host: sx-ocd.si.fr

That is the reason I assume that your backend then responds with a redirect to port 7443.


#3

Hello lukastribus ,
Thxs for answering :slightly_smiling_face:
Is there another way to proceed with haproxy for doing what I want to get ?


#4

If you are unable to disable this behavior in your backend server, the only way is to terminate SSL on haproxy and rewrite the host header.

For this, you need to install the SSL certificates of this site on haproxy and then rewrite the Host header.

Is that something you can do? Do you have the SSL certificate and private key of those 2 sites?


#5

Hello Lukas
yes I have the certificate
please can you give me an example of the syntax to use
Thxs.


#6

Haproxy configuration is relatively straightforward, for example see the Mozilla config generator:

https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy-1.5.14&openssl=1.0.1e&hsts=no&profile=intermediate

You need to know how you connect to your backend however, and what headers you need to set for the backend to do what you want.


#7

Ok , Thxs :slight_smile: