4

I am using HAProxy to redirect traffic to different web servers in local network.

Without SSL enabled, I can route based on hostname like this (in frontend section):

acl is_local hdr_end(host) -i mirror.skbx.co
acl is_kiev  hdr_end(host) -i kiev.skbx.co

use_backend kiev if is_kiev
default_backend wwwlocalbackend

As soon as I enable SSL, everything works in TCP mode via Pass through SSL mode.

But I also need to make sure HTTP is redirected to HTTPS. When I use:

redirect scheme https if !{ ssl_fc }

in my HTTP frontend section of HAProxy config, I get all requests redireted to default backend, so the above-mentioned acl rules are ignored if the request is redirected from redirect scheme.

This question has an answer on how to get it working via SSL Termination, where SSL is stripped down at HAProxy level.

My question is - is HTTP to HTTPS redirect possible while retaining pass-through (mode tcp)?

Full config of frontend and backend sections I have is in this gist.

Maxim V. Pavlov
  • 653
  • 2
  • 11
  • 29

1 Answers1

8

In TCP mode, HAproxy doesn't actually even terminate SSL, it just passes the packets on to the backend. Since https-frontend can't decode the headers in the following lines, it just passes everything to the default_backend.

You'll have to specify a cert on the bind line and run both the Frontend and Backends in mode http.

For example:

frontend http-frontend
    bind 10.1.0.4:80

    redirect scheme https if !{ ssl_fc }

frontend https-frontend
    bind 10.1.0.4:443 ssl crt /etc/ssl/haproxy.pem

    option httplog
    mode http

    acl is_local hdr_end(host) -i mirror.skbx.co
    acl is_kiev  hdr_end(host) -i kiev.skbx.co

    use_backend kiev if is_kiev
    default_backend wwwlocalbackend

backend wwwlocalbackend
    mode http
    server 1-www 127.0.0.1:443

backend kiev
    mode http
    server 1-www 10.8.0.6:443

Where /etc/ssl/haproxy.pem contains a cert for all the domains you want to host, or a wildcard cert that covers them.

If you have separate certs for each domain, you'll need to follow the configuration of frontend ft_test from the accepted answer in the question you posted (Configure multiple SSL certificates in Haproxy).

GregL
  • 9,030
  • 2
  • 24
  • 35
  • Thanks, as long as this is the only way and SNI redirect isn't possible in TCP mode, I can live with SSL Termination approach. – Maxim V. Pavlov Jul 31 '15 at 17:14
  • As far as I know, SNI is only available in HTTP mode since it's actually going to try and decode the SSL packets, otherwise, it can't do much with it. The only other way would be to have on IP per domain, have them all listen on the same frontend and make the backend selection based on destination IP. – GregL Jul 31 '15 at 17:16