I am using haproxy in combination with stunnel to perform SSL. My backend servers expect an X-Forwarded-Proto: https header to indicate that the request was sent over SSL. If this header is missing, the request is redirected to the https:// flavor of the URL.
However, with haproxy-1.5-dev5, I am seeing that the header is only added to the first request of the connection. Subsequent requests are missing this header. Below is an example from a tcpdump. -- GET /private/ HTTP/1.1 Host: beta.mysite.com Connection: keep-alive Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.16 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sessionid=03412c52b518e63558dc3d2418b52dc9 X-Forwarded-Proto: http X-Forwarded-For: 10.10.10.10 HTTP/1.1 302 FOUND Date: Tue, 29 Mar 2011 16:28:45 GMT Server: Apache/2.2.3 (CentOS) Set-Cookie: sessionid=03412c52b518e63558dc3d2418b52dc9; expires=Tue, 29-Mar-2011 16:48:45 GMT; Max-Age=1200; Path=/ Location: https://beta.mysite.com/private/ Content-Length: 0 Keep-Alive: timeout=3, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 GET /private/ HTTP/1.1 Host: beta.mysite.com Connection: keep-alive Cache-Control: max-age=0 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.16 Safari/534.24 Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 Cookie: sessionid=03412c52b518e63558dc3d2418b52dc9 HTTP/1.1 302 FOUND Date: Tue, 29 Mar 2011 16:28:45 GMT Server: Apache/2.2.3 (CentOS) Set-Cookie: sessionid=03412c52b518e63558dc3d2418b52dc9; expires=Tue, 29-Mar-2011 16:48:45 GMT; Max-Age=1200; Path=/ Location: https://beta.mysite.com/private/ Content-Length: 0 Keep-Alive: timeout=3, max=99 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 ... -- This redirect loop runs until the browser interrupts it and displays an error. My configuration follows: -- listen http-vip00 bind 192.168.1.1:80 bind 127.0.0.1:81 accept-proxy mode http option httplog balance roundrobin reqidel ^X-Forwarded-For:.* acl is-ssl dst_port 81 reqadd X-Forwarded-Proto:\ https if is-ssl reqadd X-Forwarded-Proto:\ http unless is-ssl option forwardfor server www1 10.19.78.18:80 -- I have not yet had a chance to see if the same thing happens with previous versions of haproxy. Is this expected behavior or do I have something misconfigured?
