How to use Haproxy to forward https requests via http

clusterhaproxy

I have an haproxy setup, with a several of haproxy servers that route to a cluster of application servers. I'd like haproxy to do all the ssl termination.

Right now https requests are forwarded to application servers as https. So what I'd like is:

user <-https-> Haproxy <-http-> Application
user <-http->  Haproxy <-http-> Application

I've seen some configurations that are all about using haproxy to force user to upgrade scheme to https and then the whole system is over https. This is not what I'm looking for – I want to keep application servers in http at all times.

Best Answer

I think I found the answer:

defaults
        option  forwardfor
        option  http-server-close


frontend www-http
        bind :80
        reqadd X-Forwarded-Proto:\ http
        default_backend my-backend

frontend www-https
        bind :443 ssl crt /etc/haproxy/ssl/oroboro.com.pem
        reqadd X-Forwarded-Proto:\ https
        default_backend my-backend

Add those two options in defaults. forwardfor adds the X-Forwarded-For headers.

Then create two frontends, one bound to http and another to https, that is what the bind lines do. On the https frontend we put the parameters for ssl decryption. After that haproxy will forward requests over http.

The X-Forwarded-Proto header is so your application server can know what protocol users are using in case you want to generate the page differently for non-https users ( e.g. not render certain content )

Related Solutions

Use HAproxy with SSL and X-Forwarded-For Headers – PHP SSL Configuration Guide

You dont need to drop it all, you could just use nginx in front of haproxy for SSL support, keeping all your load balancing config. You dont even need to use nginx for HTTP if you don't want to. Nginx can pass both X-Forwarded-For and a custom header indicating SSL is in use (and client cert information if you want). Nginx config snippet that sends required information:

proxy_set_header SCHEME $scheme;      # http/https
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header CLIENT_CERT $ssl_client_raw_cert;

Nginx – haproxy + nginx: https trailing slashes redirected to http

I had the same problem. Nginx is doing some kind of autoredirect in this case but you can catch and modify the default behavior using two location blocks :

# This location will catch the redirect nginx will do automatically
# because we are using an exact match ("=")
location = /subdir {
    return 301 https://yourdomainname/subdir/;
}

# This location will be used for the other requests
location /subdir {
}

Hope this helps

Best Answer

Related Solutions

Use HAproxy with SSL and X-Forwarded-For Headers – PHP SSL Configuration Guide

Nginx – haproxy + nginx: https trailing slashes redirected to http

Related Topic