Forcing SSL encryption (a.k.a. 'redirect' keyword not recognised)

Wed, 01 Apr 2009 02:58:10 -0700 

I am perplexed as HAproxy 1.3.15.8 doesn't recognise the 'redirect' keyword.
I have the following configuration file:

 

global

        log     127.0.0.1 local0

        maxconn 4096

        chroot  /var/lib/haproxy

        user    haproxy

        group   haproxy

        daemon

        spread-checks      10

 

defaults

        mode            http

        option          httplog

        option          dontlognull

        option          logasap

        retries              3

        option redispatch

        maxconn           2000

        contimeout        5000

        clitimeout       50000

        srvtimeout      300000

        stats uri /stats_haproxy

        stats auth admin:xxxxxxxxxxxxxxxxxxx

        stats scope testproxy

        stats scope check_hosts

        stats refresh 60

 

listen  testproxy 10.0.0.220:80

        cookie HACookie insert indirect

        balance roundrobin

        redirect https:// if !LOCALHOST

        server  penquin 10.0.0.202:80   cookie penquin check inter 2000 rise
2 fall 3 weight 100

        log global

 

 

When starting HAproxy I get the following message:

[ALERT] 090/123820 (3190) : parsing [/etc/haproxy/haproxy.cfg:32] : unknown
keyword 'redirect' in 'listen' section

[ALERT] 090/123820 (3190) : Error reading configuration file :
/etc/haproxy/haproxy.cfg

Errors in configuration file, check with haproxy check.

 

However the documentation and multiple examples found in the net show that
'redirect' is a valid keyword. I also tried 'redir'. Removing 'if
!LOCALHOST' doesn't help either (the idea is to redirect the browser to
https:// if the connection doesn't come from localhost i.e. Stunnel).

 

So what I am trying to do is to force http-connections to use SSL. I have
Stunnel listening 10.0.0.220:443 and Stunnel connects to 10.0.0.220:80 (i.e.
HAproxy).

 

If I force SSL in the server, there's a loop: Firefox complains :

                "Redirect Loop  Firefox has detected that the server is
redirecting the request for this address in a way that will never complete."

As I understand this is caused by the fact that the browser traffic in
encrypted between the server and HAproxy. 

 

I believe it should be possible to create an ACL that checks the clients IP
address. If the apparent address is 10.0.0.220, the traffic is coming
through Stunnel and is encrypted. But if the IP address is not 10.0.0.220,
the client connects directly to HAproxy and should be redirected to connect
into Stunnel. But how?

 

Help is greatly appreciated.

 

Best regards, BM

Reply via email to