Hello all,
For reasons that I'll spare you I'm working on replacing a Pound balancer
with HAProxy 1.5. I am mostly happy with my configuration, except for one
thing:
All of my backends accept http, except for a Node.js server which accepts
mixed http and https. This server has a login page that explicitly requires
an SSL connection by checking the local socket used for the connection. In
Pound this was done by setting the HTTPS parameter on the backend, however
from my understanding HAProxy requires that I use TCP passthrough to let
the backend handle SSL. I am uncertain as to how I should shape the
HAProxy configuration to achieve this, as I would like the TCP backend to
listen on the same port as on the HTTP backend. My (simplified) config
looks thus:
--------8< snip ----------------
frontend httpweb
bind *:80
bind *:443 ssl crt /etc/ssl/private/primal_bundle_2014.pem
mode http
option httplog
acl host_about hdr_end(host) -i about.site.com
acl host_api hdr_end(host) -i api.site.com
redirect scheme https if !{ ssl_fc } require_ssl
redirect scheme http if { ssl_fc } require_nossl
use backend about:3000 if host_about
use backend api:80 if host_api
backend about:3000
mode http
balance roundrobin
option httplog
#option httpclose
option forwardfor
server about.backend.com about.backend.com:3000 check inter 5000
backend api:80
mode http
balance roundrobin
option httplog
#option httpclose
option forwardfor
server api.backend.com api.backend.com:80 check inter 5000
backend about:3001
mode http
balance roundrobin
option httplog
#option httpclose
option forwardfor
server about.backend.com about.backend.com:3001 check inter 5000
--------8< snip ----------------
This of course sends the client into a redirect loop (301) if I hit e.g.
https://about.site.com/login , because the connection between HAProxy and
Node is non-SSL, so it redirects me back to that URL expecting the
subsequent connection to be HTTPS. If I add an about:3001 backend (3001 is
Node's SSL port) I of course get a 502 error because HAProxy connects to it
via non-SSL protocol. I also tried to set the backend to tcp mode but that
failed because the frontend is http.
So my guess is that I need to add a tcp frontend to handle specifically
HTTPS connections for about.site.com. How would I go about doing that?
Can I have both a TCP and HTTP frontend bind to the same port? How would I
shape the ACLs to direct https://about.site.com to the TCP frontend, and
everything else to the HTTP frontend?
--
Claus Strommer, Dev/Ops Engineering Specialist
