I am using HAProxy to redirect traffic to different web servers in local network.
Without SSL enabled, I can route based on hostname like this (in frontend section):
acl is_local hdr_end(host) -i mirror.skbx.co
acl is_kiev hdr_end(host) -i kiev.skbx.co
use_backend kiev if is_kiev
default_backend wwwlocalbackend
As soon as I enable SSL, everything works in TCP mode via Pass through SSL mode.
But I also need to make sure HTTP is redirected to HTTPS. When I use:
redirect scheme https if !{ ssl_fc }
in my HTTP frontend section of HAProxy config, I get all requests redireted to default backend, so the above-mentioned acl rules are ignored if the request is redirected from redirect scheme
.
This question has an answer on how to get it working via SSL Termination, where SSL is stripped down at HAProxy level.
My question is – is HTTP to HTTPS redirect possible while retaining pass-through (mode tcp)?
Full config of frontend and backend sections I have is in this gist.
Best Answer
In TCP mode, HAproxy doesn't actually even terminate SSL, it just passes the packets on to the backend. Since
https-frontend
can't decode the headers in the following lines, it just passes everything to thedefault_backend
.You'll have to specify a cert on the
bind
line and run both the Frontend and Backends inmode http
.For example:
Where
/etc/ssl/haproxy.pem
contains a cert for all the domains you want to host, or a wildcard cert that covers them.If you have separate certs for each domain, you'll need to follow the configuration of
frontend ft_test
from the accepted answer in the question you posted (Configure multiple SSL certificates in Haproxy).