22

I would like terminate SSL at HAProxy, do some manipulation on the header, rewrite URL and re-encrypt traffic and send to backend servers as SSL?

I can't seem to find a way to do this. I can get regular SSL termination done, and send plain HTTP requests to backend. But I need to send SSL to backend.

I would like to have the following features:

  • Extract x-forwarded-for headers, to get the real client IP behind proxy.
  • Implement session stickiness using cookie.
  • Do some URL rewriting.
  • Send SSL traffic to backend using cookie based session stickieness.

Unless I terminate SSL at haproxy end, I cannot get URL rewriting done.

Any help from the good people here would be highly appreciated.

oazabir
  • 365
  • 1
  • 3
  • 8

1 Answers1

43

There's nothing special to do in haproxy.cfg. You simply configure whatever URL rewrites and header manipulations you want within your HAProxy frontend and then redirect traffic to your SSL backend. Here's an quick example:

frontend app1_ssl
    bind *:443 ssl crt /etc/haproxy/certs.d/example.com.crt crt /etc/haproxy/certs.d/ no-sslv3

    option http-server-close
    option forwardfor
    http-request add-header X-Forwarded-Proto https
    http-request add-header X-Forwarded-Port 443
   
    # set HTTP Strict Transport Security (HTST) header
    http-response add-header Strict-Transport-Security max-age=15768000

    # some ACLs and URL rewrites...

    default_backend             backend_app1_ssl


backend backend_app1_ssl
    server mybackendserver 127.0.0.1:4433 ssl verify none
Tubeless
  • 1,492
  • 13
  • 15
  • 1
    Awesome! Let me try that. I wasn't able to find that "server .... ssl" thing anywhere. – oazabir Nov 23 '15 at 11:41
  • Many thanks for your help. I was able to get it working. However, I could not get SSL sticky to work. Could you help please? The question is here: http://serverfault.com/questions/738397/haproxy-ssl-roundrobin-not-working-when-ssl-terminated-and-forwarded – oazabir Nov 23 '15 at 17:21
  • Great, I'm glad I was able to help. Don't forget to accept my answer so others can see right away that it was helpful ;-) – Tubeless Nov 23 '15 at 17:24
  • Does the encryption really works by by giving ssl verify none? From the haproxy documentation, " If set to 'none', server certificate is not verified. In the other case, The certificate provided by the server is verified using CAs from 'ca-file'". Can someone please clarify this? – mjm Dec 18 '18 at 14:41
  • With `ssl verify none` traffic between HAProxy and backend server is still encrypted, but validity of backend's SSL certificate isn't checked. – Tubeless Dec 18 '18 at 16:54
  • I just found this answer and discovered I had already upvoted it... Wish I could upvote again! Thanks! – Quentin Skousen Feb 15 '19 at 20:54
  • according to (\*) `reqadd` is an old directive and `https-request set-header X-Forwarded-Proto https` can be used. (\*: https://stackoverflow.com/a/51940105/4940240 from https://stackoverflow.com/questions/51928504/x-forwarded-proto-https-in-frontend-or-backend-haproxy/51940105#51940105). (just noting) – MacMartin Aug 18 '20 at 12:54
  • 1
    @eli you are right. Deprecation warning was added after my initial answer. I've updated my answer. Cheers! – Tubeless Aug 20 '20 at 14:55
  • http://cbonte.github.io/haproxy-dconv/2.5/configuration.html#5.2-ssl the `server` keywords support a lot of interesting settings, documented here. – HelloSam Jun 24 '21 at 10:02