HAProxy to redirect http to https for multiple domain names without SSL Termination

haproxy

I am using HAProxy to redirect traffic to different web servers in local network.

Without SSL enabled, I can route based on hostname like this (in frontend section):

acl is_local hdr_end(host) -i mirror.skbx.co
acl is_kiev  hdr_end(host) -i kiev.skbx.co

use_backend kiev if is_kiev
default_backend wwwlocalbackend

As soon as I enable SSL, everything works in TCP mode via Pass through SSL mode.

But I also need to make sure HTTP is redirected to HTTPS. When I use:

redirect scheme https if !{ ssl_fc }

in my HTTP frontend section of HAProxy config, I get all requests redireted to default backend, so the above-mentioned acl rules are ignored if the request is redirected from redirect scheme.

This question has an answer on how to get it working via SSL Termination, where SSL is stripped down at HAProxy level.

My question is - is HTTP to HTTPS redirect possible while retaining pass-through (mode tcp)?

Full config of frontend and backend sections I have is in this gist.


In TCP mode, HAproxy doesn't actually even terminate SSL, it just passes the packets on to the backend. Since https-frontend can't decode the headers in the following lines, it just passes everything to the default_backend.

You'll have to specify a cert on the bind line and run both the Frontend and Backends in mode http.

For example:

frontend http-frontend
    bind 10.1.0.4:80

    redirect scheme https if !{ ssl_fc }

frontend https-frontend
    bind 10.1.0.4:443 ssl crt /etc/ssl/haproxy.pem

    option httplog
    mode http

    acl is_local hdr_end(host) -i mirror.skbx.co
    acl is_kiev  hdr_end(host) -i kiev.skbx.co

    use_backend kiev if is_kiev
    default_backend wwwlocalbackend

backend wwwlocalbackend
    mode http
    server 1-www 127.0.0.1:443

backend kiev
    mode http
    server 1-www 10.8.0.6:443

Where /etc/ssl/haproxy.pem contains a cert for all the domains you want to host, or a wildcard cert that covers them.

If you have separate certs for each domain, you'll need to follow the configuration of frontend ft_test from the accepted answer in the question you posted (Configure multiple SSL certificates in Haproxy).

Related

How to setup L2TP IPsec VPN server on Windows Server 2008 R2?
Why can't I whois '.google' domains?
Delete old e-mails from a Maildir
Puppet VS Ansible + what is the best auto remote task tool [closed]
"Lack of free swap space" on Windows Server
Unable to Change vCenter Server Appliance IP
Can I represent physical rooms in Active Directory?
Are my failed password attempts to different domain controllers cumulative?
Foreign mail server returns "502 Command not implemented."
How to investigate causes for a very slow telnet?
AWS VPC Endpoint SecurityGroupEgress rule
fail2ban.action ERROR iptables -w -N f2b-<jail-name>