HAProxy to terminate SSL also send SSL to backend server

I would like terminate SSL at HAProxy, do some manipulation on the header, rewrite URL and re-encrypt traffic and send to backend servers as SSL?

I can't seem to find a way to do this. I can get regular SSL termination done, and send plain HTTP requests to backend. But I need to send SSL to backend.

I would like to have the following features:

  • Extract x-forwarded-for headers, to get the real client IP behind proxy.
  • Implement session stickiness using cookie.
  • Do some URL rewriting.
  • Send SSL traffic to backend using cookie based session stickieness.

Unless I terminate SSL at haproxy end, I cannot get URL rewriting done.

Any help from the good people here would be highly appreciated.


Solution 1:

There's nothing special to do in haproxy.cfg. You simply configure whatever URL rewrites and header manipulations you want within your HAProxy frontend and then redirect traffic to your SSL backend. Here's an quick example:

frontend app1_ssl
    bind *:443 ssl crt /etc/haproxy/certs.d/example.com.crt crt /etc/haproxy/certs.d/ no-sslv3

    option http-server-close
    option forwardfor
    http-request add-header X-Forwarded-Proto https
    http-request add-header X-Forwarded-Port 443
   
    # set HTTP Strict Transport Security (HTST) header
    http-response add-header Strict-Transport-Security max-age=15768000

    # some ACLs and URL rewrites...

    default_backend             backend_app1_ssl


backend backend_app1_ssl
    server mybackendserver 127.0.0.1:4433 ssl verify none