Thursday, June 25, 2015

HAProxy to redirect http to https for multiple domain names without SSL Termination



I am using HAProxy to redirect traffic to different web servers in local network.



Without SSL enabled, I can route based on hostname like this (in frontend section):



acl is_local hdr_end(host) -i mirror.skbx.co
acl is_kiev  hdr_end(host) -i kiev.skbx.co


use_backend kiev if is_kiev
default_backend wwwlocalbackend


As soon as I enable SSL, everything works in TCP mode via Pass through SSL mode.



But I also need to make sure HTTP is redirected to HTTPS. When I use:



redirect scheme https if !{ ssl_fc }



in my HTTP frontend section of HAProxy config, I get all requests redireted to default backend, so the above-mentioned acl rules are ignored if the request is redirected from redirect scheme.



This question has an answer on how to get it working via SSL Termination, where SSL is stripped down at HAProxy level.



My question is - is HTTP to HTTPS redirect possible while retaining pass-through (mode tcp)?



Full config of frontend and backend sections I have is in this gist.


Answer




In TCP mode, HAproxy doesn't actually even terminate SSL, it just passes the packets on to the backend. Since https-frontend can't decode the headers in the following lines, it just passes everything to the default_backend.



You'll have to specify a cert on the bind line and run both the Frontend and Backends in mode http.



For example:



frontend http-frontend
    bind 10.1.0.4:80

    redirect scheme https if !{ ssl_fc }


frontend https-frontend
    bind 10.1.0.4:443 ssl crt /etc/ssl/haproxy.pem

    option httplog
    mode http

    acl is_local hdr_end(host) -i mirror.skbx.co
    acl is_kiev  hdr_end(host) -i kiev.skbx.co


    use_backend kiev if is_kiev
    default_backend wwwlocalbackend

backend wwwlocalbackend
    mode http
    server 1-www 127.0.0.1:443

backend kiev
    mode http
    server 1-www 10.8.0.6:443



Where /etc/ssl/haproxy.pem contains a cert for all the domains you want to host, or a wildcard cert that covers them.



If you have separate certs for each domain, you'll need to follow the configuration of frontend ft_test from the accepted answer in the question you posted (Configure multiple SSL certificates in Haproxy).


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...