I am using HAProxy to redirect traffic to different web servers in local network.
Without SSL enabled, I can route based on hostname like this (in frontend section):
acl is_local hdr_end(host) -i mirror.skbx.co
acl is_kiev hdr_end(host) -i kiev.skbx.co
use_backend kiev if is_kiev
default_backend wwwlocalbackend
As soon as I enable SSL, everything works in TCP mode via Pass through SSL mode.
But I also need to make sure HTTP is redirected to HTTPS. When I use:
redirect scheme https if !{ ssl_fc }
in my HTTP frontend section of HAProxy config, I get all requests redireted to default backend, so the above-mentioned acl rules are ignored if the request is redirected from redirect scheme
.
This question has an answer on how to get it working via SSL Termination, where SSL is stripped down at HAProxy level.
My question is - is HTTP to HTTPS redirect possible while retaining pass-through (mode tcp)?
Full config of frontend and backend sections I have is in this gist.
Answer
In TCP mode, HAproxy doesn't actually even terminate SSL, it just passes the packets on to the backend. Since https-frontend
can't decode the headers in the following lines, it just passes everything to the default_backend
.
You'll have to specify a cert on the bind
line and run both the Frontend and Backends in mode http
.
For example:
frontend http-frontend
bind 10.1.0.4:80
redirect scheme https if !{ ssl_fc }
frontend https-frontend
bind 10.1.0.4:443 ssl crt /etc/ssl/haproxy.pem
option httplog
mode http
acl is_local hdr_end(host) -i mirror.skbx.co
acl is_kiev hdr_end(host) -i kiev.skbx.co
use_backend kiev if is_kiev
default_backend wwwlocalbackend
backend wwwlocalbackend
mode http
server 1-www 127.0.0.1:443
backend kiev
mode http
server 1-www 10.8.0.6:443
Where /etc/ssl/haproxy.pem
contains a cert for all the domains you want to host, or a wildcard cert that covers them.
If you have separate certs for each domain, you'll need to follow the configuration of frontend ft_test
from the accepted answer in the question you posted (Configure multiple SSL certificates in Haproxy).
No comments:
Post a Comment