How to use Haproxy to forward https requests via http

Question

I have an haproxy setup, with a several of haproxy servers that route to a cluster of application servers. I'd like haproxy to do all the ssl termination.

Right now https requests are forwarded to application servers as https. So what I'd like is:

user <-https-> Haproxy <-http-> Application
user <-http->  Haproxy <-http-> Application

I've seen some configurations that are all about using haproxy to force user to upgrade scheme to https and then the whole system is over https. This is not what I'm looking for - I want to keep application servers in http at all times.

Answer 1

I think I found the answer:

defaults
        option  forwardfor
        option  http-server-close


frontend www-http
        bind :80
        reqadd X-Forwarded-Proto:\ http
        default_backend my-backend

frontend www-https
        bind :443 ssl crt /etc/haproxy/ssl/oroboro.com.pem
        reqadd X-Forwarded-Proto:\ https
        default_backend my-backend

Add those two options in defaults. forwardfor adds the X-Forwarded-For headers.

Then create two frontends, one bound to http and another to https, that is what the bind lines do. On the https frontend we put the parameters for ssl decryption. After that haproxy will forward requests over http.

The X-Forwarded-Proto header is so your application server can know what protocol users are using in case you want to generate the page differently for non-https users ( e.g. not render certain content )