I seem to be having an interesting issue with forced ssl redirects in
Haproxy 1.5.11
Sorry if this sounds clear as mud, but here goes:
When I load a domain that is served by haproxy that is supposed to force
https, it initially forces the connection to be https (if you attempt to
connect over http), but I get a Mixed content warning when it attempts
to load another url that is based on the same domain. If I allow the
mixed content through the browser, it does not get redirected to https.
I am sure I just have something configured incorrectly, but I am not
sure where.....
I go to URL:
https://localcaleb.test123.com/apps/test123/test.html
inside the test123 app it makes a protocol-less request to another app
which ends up using http (since the backend is http balanced) using this
URL:
http://localcaleb.test23.com/apps/testgw/login.jsp
Since the we have a redirect for ssl in place, shouldn't the request get
forced to https? It worked this way when apache was acting as our SSL
reverse proxy. What am I doing incorrectly? If I allow mixed content
in the browser, the haproxy logs show that it indeed connects over port
80 without getting redirected to 443.
here is the fontend:
frontend localcaleb.test123.com ## local Backends
bind 10.0.60.5:80
bind 10.0.60.5:443 ssl crt /etc/certs/test.bundle no-sslv3 ciphers
ECDHE-RSA-AES256-SHA384:AES256-SHA256:!RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM:!SSLV3:!eNULL
redirect scheme https if !{ ssl_fc }
option http-server-close
acl is_apps_match url_beg /apps/
use_backend caleblocal.test123.com if is_apps_match
default_backend caleb.test123.com
here are the relevant backends:
backend caleblocal.test123.com
reqrep ^([^\ ]*)\ /apps/(.*) \1\ /\2
server caleb-pc.staff.test123.com 192.168.166.182:8080 weight 50 check
server maint maint.test123.com:81 check backup
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
backend caleb.test123.com
reqrep ^([^\ ]*)\ /apps/(.*) \1\ /\2
server caleb 10.0.3.216:80 weight 50 check
server maint maint.test123.com:81 check backup
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
Thanks.
--
--Sean Patronis
Auto Data Direct Inc.
850.877.8804