On Sun, Jan 16, 2011 at 07:21:19PM +0100, Henri Storn wrote: > Hello, > > I have a server hosting multiple Web sites. I use HAProxy, Stunnel and > HTTPD : > > HTTP -> HAProxy (80) -> HTTPD (8080) > HTTPS -> Stunnel (443) -> HAproxy (8443) -> HTTPD (8080) > > I want a single Web site is accessible via HTTPS. The others are only > accessible by HTTP. I want to do the following redirects : > - http://server.domain.com/ -> https://server.domain.com/ [OK] > - https://other.domain.com/ -> https://other.domain.com/ [PROBLEM] > > I can not create the ACL. Can you help me ? > > listen http > bind *:80 > acl url_admin hdr_beg server.domain.com > redirect prefix https://server.domain.com if url_admin > server srv 127.0.0.1:8080 maxconn 256 > > listen https > bind 192.168.0.100:8443 > acl url_admin hdr_beg server.domain.com > redirect prefix http://XXXXX unless url_admin > option forwardfor except 192.168.0.100 > server srv 127.0.0.1:8080 maxconn 256 >
We force route all traffic over ssl for some hosts with something like the following setup. We route all traffic through haproxy, no matter if it is ssl or not. Firewall sends public-ip:80 traffic to haproxy-ip:80 Firewall sends public-ip:443 traffic to stunnel-ip:443 Stunnel is patched with http://haproxy.1wt.eu/download/patches/stunnel-<version>-xforwarded-for.diff stunnel.conf: [https] cert = /etc/stunnel/cert.pem accept = 443 connect = haproxy-ip:8443 xforwardedfor = yes haproxy.cfg: frontend main bind *:80 name myapp bind haproxy-ip:8443 name ssl acl host_insecure hdr_dom(Host) -i insecure.example.com use_backend insecure if host_insecure acl host_secure hdr_dom(Host) -i secure.example.com use_backend secure if host_secure backend secure acl secure dst_port eq 8443 redirect prefix https://secure.example.com code 301 if !secure server internal-http x.x.x.x:8080 check backend insecure server internal-http x.x.x.x:8080 check enjoy, -jeremy -- ======================================================================== Jeremy Hinegardner [email protected]
