haproxy how to process /.well-known before any redirects?
I'm afraid it is not possible to process use_backend
before redirect
statements. I believe HAPROXY evaluates redirects after it receives the entire HTTP request from the client and chooses a backend only after it discovers that the client will not be redirected.
You do not need to modify every redirect rule in order to add additional exclusion paths. You can use an unique ACL instead. For example, this configuration snippet would work:
acl noredirects path -m reg ^/.well-known/acme-challenge/
acl noredirects path -m beg /static/ /images/ /css/
acl noredirects req.hdr(host) -i httpsite.example.com
redirect prefix https://a.test if ! noredirects { req.hdr(host) -m reg ^a\.test(?::.*)?$ }
use_backend certbot_80 if noredirects
You can also process redirections on a backend. For example:
frontend http *:80
acl certbot path -m beg /.well-known/acme-challenge/
acl httpsite path -m beg /public/
use_backend certbot_80 if certbot
use_backend httpbackend if httpsite
default_backend redirector
backend redirector
redirect prefix https://a.test if { req.hdr(host) -m reg ^a\.test(?::.*)?$ }
redirect prefix https://b.test if { req.hdr(host) -m reg ^b\.test(?::.*)?$ }
backend httpbackend
server httpserver httpserver.example.com:80
With a modern HAProxy (tested with 2.2 LTS), the syntax is intuitive:
frontend http *:80
acl path_certbot path_beg /.well-known/acme-challenge/
http-request redirect scheme https unless { ssl_fc } || path_certbot
use_backend certbot_80 if path_certbot
default_backend std_backend
backend certbot
server certbot localhost:80
backend std_backend
<your_backend>
- the first line creates a named condition (path_certbot) that is true it the url starts with
/.well-known/acme-challenge/
- the second line redirects (with a HTTP/302) all the incoming requests to https, unless the request was already https, or the path_certbot condition is activated