Re: HTTPS to HTTP reverse proxy

Tue, 11 Aug 2015 17:31:19 -0700 

On Tue, Aug 11, 2015 at 12:10 PM, Roman Gelfand <rgelfa...@gmail.com> wrote:

> I am publishing horde webmail application.  The horde itself is served
> internally via http protocol on apache.  Please, see the configuration,
> below.  The issue seems to be with css and image files as formatting is out
> wack.  Please note, accessing the http site from intranet works.
>
> global
>   log 127.0.0.1 local0 debug
>   tune.ssl.default-dh-param 2048
>   maxconn 4096
>   user proxy
>   group proxy
>   daemon
>   #debug
>   #quiet
>
> defaults
>   log global
>   mode  http
>   option forwardfor
>   option  httplog
>   option  dontlognull
>   option  redispatch
>   option http-server-close
>   retries 3
>   maxconn 2000
>   timeout connect 5000
>   timeout client 50000
>   timeout server 50000
>
> frontend farm_test_ssl
>   mode  http
>   bind 0.0.0.0:443 ssl crt /etc/ssl/certs/cs.pem crt
> /etc/ssl/certs/remote.pem
>   use_backend bk_cs_cert if { ssl_fc_sni cs.localdom.com } # content
> switching based on SNI
>   use_backend bk_remote_cert if { ssl_fc_sni remote.localdom.com } #
> content switching based on SNI
>
> backend bk_cs_cert
>   mode http
>   server cs 192.168.8.108:80 check ssl verify none
>
> backend bk_remote_cert
>   mode http
>   server remail 192.168.8.166:80 check ssl verify none
>
>

Roman,

My guess would be a mixed content that every modern browser will block
these days. Meaning you request a page over https but the response page has
http links for the css and js files which the browser will refuse to load.
You can confirm that using the development tools in chrome or firefox just
to make sure this is the case.

More details about ssl offloading can be find here:
http://blog.haproxy.com/2013/02/26/ssl-offloading-impact-on-web-applications/

In short, you need to tell the backend apache that the content needs to be
served via ssl. That is usually done by providing some headers in HAProxy:

       http-request set-header X-Forwarded-Proto https if  { ssl_fc }

then in Apache I have:

        SetEnvIfNoCase X-Forwarded-Proto https HTTPS=on
        # Insure the pages requested over ssl are always over ssl
        RewriteEngine On
        RewriteCond %{HTTP_X_Forwarded_Proto}  ^https$
        RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L]

Hope this helps, in case I'm right that is :-).
Igor

Reply via email to