On Thu, Jul 21, 2011 at 12:05:41PM +0530, Avinash Gaonkar wrote: > Dear Willy, > > I have configured haproxy with stunnel to load balance my web servers. > > > https request -->stunnel--->haproxy --> backend servers(apache+tomcat) > > This works fine but when I want to redirect http traffic to https in haproxy > using acl it doesn't work. > > http request -->haproxy <use acl to redirect to https----> stunnel --> > haproxy ----> backend servers(apache+tomcat) > > > My fontend config: > > frontend example.com.com > bind 192.168.10.11:80 > mode http > log global > option httplog > maxconn 10000 > timeout client 300s > acl secure url http://example.com > redirect location https://example.com/MyServer if secure > default_backend example.comBACK > > is my acl ok?
No, your ACL matches "http://example.com"; that will never be posted by anyone. A browser would post a URL "/" with a Host header of "example.com". Nowhere in the request the protocol is indicated. One easy thing to do is to match on the source address of stunnel (often 127.0.0.1 or the local machine) to know if you went through stunnel or not. Another principle I like even better is to forward stunnel's traffic to a distinct bind address. For instance : frontend example.com bind 192.168.10.11:80 # public http address bind 127.0.0.1:81 # for stunnel traffic only Then you can for instance redirect certain requests to https : acl host_example.com hdr(host) -i example.com acl url_slash url / acl via_stunnel dst_port 81 redirect location https://example.com/MyServer if !via_stunnel host_example.com url_slash If you want *all* of your http traffic to be inconditionnally redirected to https, then it's even easier to have two distinct frontends and no ACL : frontend secure bind 127.0.0.1:81 # for stunnel ... default_backend ... frontend http bind 192.168.10.11:80 # for http visitors redirect location https://example.com/MyServer Regards, Willy
