By the way, the ssl option for the server did the trick. Based on the
documentation for the frontend mode option ("tcp ... This is the default
mode. It should be used for SSL, SSH, SMTP, ...") I had assumed that no
such backend option was available. But I'm glad I was wrong!
Thanks again, Baptiste!
On Wed, Jun 25, 2014 at 3:49 PM, Claus Strommer <claus.strom...@primal.com>
wrote:
> Whoops!
>
> Just to be safe, here's the whole thing again, with additions
>
>
> --------8< snip ----------------
> frontend httpweb
> bind *:80
> bind *:443 ssl crt /etc/ssl/private/primal_bundle_2014.pem
> mode http
> option httplog
>
> acl host_about hdr_end(host) -i about.site.com
>
> acl host_api hdr_end(host) -i api.site.com
> acl require_ssl hdr_end(host) -i api.site.com
>
> acl host_error hdr_end(host) -i error.site.com
> acl require_nossl hdr_end(host) -i error.site.com
>
>
> redirect scheme https if !{ ssl_fc } require_ssl
> redirect scheme http if { ssl_fc } require_nossl
>
> use backend about:3000 if host_about
> use backend api:80 if host_api
> use_backend nginx:8080 if host_error
>
>
>
> backend about:3000
> mode http
> balance roundrobin
> option httplog
> #option httpclose
> option forwardfor
> server about.backend.com about.backend.com:3000 check inter 5000
>
> backend api:80
> mode http
> balance roundrobin
> option httplog
> #option httpclose
> option forwardfor
> server api.backend.com api.backend.com:80 check inter 5000
>
> backend about:3001
> mode http
> balance roundrobin
> option httplog
> #option httpclose
> option forwardfor
> server about.backend.com about.backend.com:3001 check inter 5000
>
> backend nginx:8080
>
> mode http
> balance roundrobin
> option httplog
> #option httpclose
> option forwardfor
> server localhost localhost:8080 check inter 5000
> --------8< snip ----------------
>
>
>
> Basically, all our backends except host_about and host_error go through
> SSL. host_error is forced to HTTP, host_about is kept at whatever the
> client requests.
>
>
> <http://api.site.com>
>
>
> On Wed, Jun 25, 2014 at 3:37 PM, Baptiste <bed...@gmail.com> wrote:
>
>> On Wed, Jun 25, 2014 at 5:47 PM, Claus Strommer
>> <claus.strom...@primal.com> wrote:
>> > Hello all,
>> >
>> > For reasons that I'll spare you I'm working on replacing a Pound
>> balancer
>> > with HAProxy 1.5. I am mostly happy with my configuration, except for
>> one
>> > thing:
>> >
>> > All of my backends accept http, except for a Node.js server which
>> accepts
>> > mixed http and https. This server has a login page that explicitly
>> requires
>> > an SSL connection by checking the local socket used for the connection.
>> In
>> > Pound this was done by setting the HTTPS parameter on the backend,
>> however
>> > from my understanding HAProxy requires that I use TCP passthrough to
>> let the
>> > backend handle SSL. I am uncertain as to how I should shape the HAProxy
>> > configuration to achieve this, as I would like the TCP backend to
>> listen on
>> > the same port as on the HTTP backend. My (simplified) config looks
>> thus:
>> >
>> >
>> > --------8< snip ----------------
>> > frontend httpweb
>> > bind *:80
>> > bind *:443 ssl crt /etc/ssl/private/primal_bundle_2014.pem
>> > mode http
>> > option httplog
>> >
>> > acl host_about hdr_end(host) -i about.site.com
>> > acl host_api hdr_end(host) -i api.site.com
>> >
>> > redirect scheme https if !{ ssl_fc } require_ssl
>> > redirect scheme http if { ssl_fc } require_nossl
>> >
>> > use backend about:3000 if host_about
>> > use backend api:80 if host_api
>> >
>> > backend about:3000
>> > mode http
>> > balance roundrobin
>> > option httplog
>> > #option httpclose
>> > option forwardfor
>> > server about.backend.com about.backend.com:3000 check inter 5000
>> >
>> > backend api:80
>> > mode http
>> > balance roundrobin
>> > option httplog
>> > #option httpclose
>> > option forwardfor
>> > server api.backend.com api.backend.com:80 check inter 5000
>> >
>> > backend about:3001
>> > mode http
>> > balance roundrobin
>> > option httplog
>> > #option httpclose
>> > option forwardfor
>> > server about.backend.com about.backend.com:3001 check inter 5000
>> > --------8< snip ----------------
>> >
>> > This of course sends the client into a redirect loop (301) if I hit e.g.
>> > https://about.site.com/login , because the connection between HAProxy
>> and
>> > Node is non-SSL, so it redirects me back to that URL expecting the
>> > subsequent connection to be HTTPS. If I add an about:3001 backend
>> (3001 is
>> > Node's SSL port) I of course get a 502 error because HAProxy connects
>> to it
>> > via non-SSL protocol. I also tried to set the backend to tcp mode but
>> that
>> > failed because the frontend is http.
>> >
>> > So my guess is that I need to add a tcp frontend to handle specifically
>> > HTTPS connections for about.site.com. How would I go about doing
>> that? Can
>> > I have both a TCP and HTTP frontend bind to the same port? How would I
>> > shape the ACLs to direct https://about.site.com to the TCP frontend,
>> and
>> > everything else to the HTTP frontend?
>> >
>> >
>> >
>> > --
>> > Claus Strommer, Dev/Ops Engineering Specialist
>>
>>
>> Hi Claus,
>>
>> first, I don't understand your configuration.
>> You may have cut some part of it, but you cut too much :)
>> We need to know the content of require_ssl and require_nossl.
>> Also, the backend 3001 is not used.
>>
>> Maybe this could help: if you want to cipher a connection to a server,
>> then simply add the keyword "ssl" on the server line.
>> (check also the global parameter ssl-server-verify)
>>
>> Baptiste
>>
>
>
>
> --
> Claus Strommer, Dev/Ops Engineering Specialist
>
--
Claus Strommer, Dev/Ops Engineering Specialist
