HAProxy not redirecting http to https (ssl) - haproxy

I'm using HAProxy for load balancing and only want my site to support https. Thus, I'd like to redirect all requests on port 80 to port 443.
How would I do this?
Edit: We'd like to redirect to the same url on https, preserving query params. Thus, http://foo.com/bar would redirect to https://foo.com/bar
frontend httpfront
mode http
bind *:80
redirect scheme https code 301 if !{ ssl_fc }

You need configure frontend for 443 port.
frontend (port 80) -> frontend (port 443) -> backend
Check my example:
frontend httpfront
mode http
bind *:80
redirect scheme https code 301 if !{ ssl_fc }
frontend httpsfront
mode tcp
bind *:443
default_backend app
backend app
mode tcp
balance roundrobin
server server01 10.10.10.11:443 check
server server02 10.10.10.12:443 check

Related

HAProxy - Http-request redirect to backend host?

I would like incoming queries in haproxy example: http://haproxy/test are redirected to one of the backends in a 301 redirection:
http://server-a/test or
http://server-b/test or
http://server-c/test or
…
my backend:
backend cluster_redirect
http mode
random balance
server server-a:80
server server-b:80
server server-c:80
my frontend:
front-end www
bind:80
http-request redirect code 301 location http://%bi%[capture.req.uri]
use_backend cluster_redirect
%bi is not interpreted!. URL for redirect is : “location: http:///test”
If i use a set-header for debug: http-response set-header X-Debug http://%bi%[capture.req.uri]
the header is : X-Debug: http://10.1.1.1/test.
10.1.1.1 is the IP for haproxy.
Thank you

how to redirect a url like https://example.com to https://www.example.com in haproxy

I know how to redirect from:
http example.com to https www.example.com
and
http www.example.com to https www.example.com
but don't know how to redirect from:
https example.com to https www.example.com in Haproxy
redirect prefix https://www.example.com code 301 if { hdr(host) -i example.com } in both frontend
frontend weblb
bind *:80
acl is_www hdr_beg(host) ilanni.com
redirect prefix https://www.ilanni.com code 301 if is_www
acl is_host hdr_beg(host) wwww.ilanni.com
redirect scheme https if !{ ssl_fc }
bind *:443 ssl crt /etc/haproxy/ilanni.com.pem
use_backend sellerserver if is_host
backend sellerserver
balance source
server web1 127.0.0.1:8111 maxconn 1024 weight 3 check inter 2000 rise 2 fall 3

haproxy redirect scheme https if !$request_uri

If it's possible to disable https on some url, i try this, but it's not working.
I need a piece of my site without https and redirect
frontend http
bind *:80
mode http
acl folder path_beg -i ^/somefolder/subfolder/.* ^/somefolder/subfolder2/.*
redirect scheme https if !folder
option http-server-close
reqadd X-Forwarded-Proto:\ http
option forwardfor header X-Real-IP
default_backend nodes
frontend https
bind *:443
mode http
option http-server-close
reqadd X-Forwarded-Proto:\ https
option forwardfor header X-Real-IP
default_backend nodes
backend nodes
balance leastconn
server server1 10.10.10.7:80 cookie A check
server server2 10.10.10.8:80 cookie A check
Access list
acl folder path_dir -i /somefolder/subfolder/ /somefolder/subfolder2/
In backend you need rule
redirect scheme https if !folder !{ ssl_fc }
After that - all site has redirect to htts, but if uri contains /somefolder/subfolder/ or /somefolder/subfolder2/ it's be able to connect by http.
In nginx you need add some rules if you wanna redirect https to http
if ( $http_x_forwarded_proto = "https" ) {
rewrite ^/somefolder/subfolder2/ http://domain//somefolder/subfolder2/ permanent;
}

Redirecting requests over 8443 to 443

One of our applications was previously configured to serve SSL from tomcat over port 8443. We're migrating this application to a new environment and switching to using nginx to handle SSL termination rather than tomcat (which will operate over 8080). I would like the ability for folks to be able to connect to the new environment over 8443 but get redirected to 443 (to support anyone's old bookmarks or links).
Currently have rulesets to redirect 80 to 443, and a full ssl_certificate set defined for listening on 443, but no luck trying a variety of methods to listen on 8443 and redirect to itself over 443.
Any suggestions?
Just define a separate server for port 8443, and do a redirect from there. You'd obviously still have to have a proper certificate for your 8443 server, too.
server {
listen 8443 ssl;
server_name example.com;
ssl_...;
return 301 https://example.com$request_uri;
}

haproxy acl not working in https/tcp mode

I am experiencing some problems, it seems I can't get acl's to work in tcp mode, everything works in http mode.
Here is my config.
frontend http *:80
acl http_test_acl path_beg -i /test
use_backend http_test if http_test_acl
default_backend http_default
backend http_test
balance roundrobin
server httptest 10.10.10.10:80 check
backend http_default
balance roundrobin
server httpdefault 10.10.10.10:80 check
############# HTTPS #################
frontend https *:443
mode tcp
acl https_test_acl path_beg -i /test
use_backend https_test if https_test_acl
default_backend https_default
backend https_test
mode tcp
balance roundrobin
server httpstest 10.10.10.10:443 check
backend https_default
mode tcp
balance roundrobin
server httpsdefault 10.10.10.10:443 check
Don't pay attention to ip 10.10.10.10 as I have hidden my orginal one. Could you please let me know why https is not working, http frontend/backend acl rules are working just fine.
cheers
Cause your https servers are in tcp mode (as they should be for ssl), so a layer 7 rule wont work.
for acl to work, disable tcp mode then set up ssl on the servers on your backend(hence the ssl keyword)
frontend https *:443
acl https_test_acl path_beg -i /test
use_backend https_test if https_test_acl
default_backend https_default
backend https_test
balance roundrobin
server httpstest 10.10.10.10:443 ssl check
backend https_default
balance roundrobin
server httpsdefault 10.10.10.10:443 ssl check
Alternatively instead of having to setup ssl on both your backend servers; use private IPS in the backend servers and make sure ports on the backend servers arent open to the world
backend https_test
balance roundrobin
server httpstest some_private_ip:8000 check