Trying to rewrite www tot non www HAproxy 3

Help!
1

Hi,

I used to run HAProxy 1.9 and recently updated to 3.0.8 but I can’t get redirection from www.domain.com to domain.com, which was working on 1.9.

My config on HAproxy 3 looks as follows:

frontend http-https
bind *:80
bind *:443 ssl crt-list /etc/haproxy/certs/certificate-list.txt strict-sni
http-request return status 200 content-type text/plain lf-string “%[path,field(-1,/)].${ACCOUNT_THUMBPRINT}\n” if { path_beg ‘/.well-known/acme-challenge/’ }
mode http

http-request redirect scheme https code 301 if !{ ssl_fc }

acl vdsverhuur_acl hdr(host) -i vdsverhuur.be
use_backend vdsverhuur if vdsverhuur_acl

acl www-vdsverhuur_acl hdr(host) -i www.vdsverhuur.be
use_backend vdsverhuur if www-vdsverhuur_acl

backend vdsverhuur
mode http
#balance roundrobin
server verzamel01 172.16.0.12:80 check
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }

I have been Googling fo 2 days now but I can’t find anything that works. Yny ideas to put me in the right direction?

Thanks,
Rene

2

You want to redirect to https://vdsverhuur.be if there is a match for Host header www.vdsverhuur.be, this would be:

http-request redirect prefix https://vdsverhuur.be if { hdr_dom(host) -i www.vdsverhuur.be }
3

Hi Lukas, thanks for your quick reply!
I already tried that before and copied your line 100% into my running config, tested the config → all ok, restarted HAproxy but I still get the same error:

This site can’t be reached

The web page at https://www.vdsverhuur.be/ might be temporarily down or it may have moved permanently to a new web address.

ERR_SSL_UNRECOGNIZED_NAME_ALERT

I just don’t see what I am missing here.

4

On order for the redirect to work you need to allow connections to www.vdsverhuur.be, otherwise a redirect cannot be performed because the connection doesn’t even establish.

This means that the certificate needs to cover this hostname (currently it only covers the apex) and if your crt-list also restricts hostnames then you need to allow this hostname as well.

5

Ahhh, you mean either use a wildcard or use two certificates, one for www and one for just the apex?

6

No, a wildcard or a secondary certificate is not required.

Just generate a certificate that is valid for both www.vdsverhuur.be and vdsverhuur.be.

You had this already until the last certificate update, the certificate generated on Dec 31st and older dates was valid for both hostnames:

Only the last certificate created on January 19th had www.vdsverhuur.be removed and is valid only for vdsverhuur.be

7

Sir, you are awesome! That was exactly the problem. When I read your answer I thought: can I be that stupid? Clearly I am that stupid.

Thank you so much for your help!

1 Like