Haproxy 1.5 ssl redirect

Tue, 17 Mar 2015 08:42:20 -0700

I seem to be having an interesting issue with forced ssl redirects in Haproxy 1.5.11 

Sorry if this sounds clear as mud, but here goes:
When I load a domain that is served by haproxy that is supposed to force https, it initially forces the connection to be https (if you attempt to connect over http), but I get a Mixed content warning when it attempts to load another url that is based on the same domain. If I allow the mixed content through the browser, it does not get redirected to https. I am sure I just have something configured incorrectly, but I am not sure where..... 

I go to URL:
https://localcaleb.test123.com/apps/test123/test.html
inside the test123 app it makes a protocol-less request to another app which ends up using http (since the backend is http balanced) using this URL: 
http://localcaleb.test23.com/apps/testgw/login.jsp
Since the we have a redirect for ssl in place, shouldn't the request get forced to https? It worked this way when apache was acting as our SSL reverse proxy. What am I doing incorrectly? If I allow mixed content in the browser, the haproxy logs show that it indeed connects over port 80 without getting redirected to 443. 


here is the fontend:

frontend localcaleb.test123.com ## local Backends
    bind 10.0.60.5:80
bind 10.0.60.5:443 ssl crt /etc/certs/test.bundle no-sslv3 ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM:!SSLV3:!eNULL 
    redirect scheme https if !{ ssl_fc }
    option http-server-close
    acl is_apps_match url_beg /apps/
    use_backend caleblocal.test123.com if is_apps_match
    default_backend caleb.test123.com



here are the relevant backends:

backend caleblocal.test123.com
    reqrep ^([^\ ]*)\ /apps/(.*)     \1\ /\2
    server caleb-pc.staff.test123.com 192.168.166.182:8080 weight 50 check
    server maint maint.test123.com:81 check backup
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }


backend caleb.test123.com
    reqrep ^([^\ ]*)\ /apps/(.*)     \1\ /\2
    server caleb 10.0.3.216:80 weight 50 check
    server maint maint.test123.com:81 check backup
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }


Thanks.

--
--Sean Patronis
Auto Data Direct Inc.
850.877.8804

Reply via email to