AW: Force HTTPS with https backend

Tue, 06 Aug 2013 22:28:02 -0700 

Hello Baptiste,

thank you for your help, I found a solution which is a bit different but is 
also working (I think the traffic is just passed in my configuration). The 
config is:

global
        log 127.0.0.1   local1 notice
        maxconn 4096
        user haproxy
        group haproxy
        daemon

defaults
        log     global
        option  dontlognull
        retries 3
        option redispatch
        maxconn 2000
        contimeout      5000
        clitimeout      50000
        srvtimeout      50000

frontend http_frontend
        bind :80
        mode http
        redirect scheme https if !{ ssl_fc }

frontend https_frontend
        bind *:443
        mode tcp
        default_backend web_server

backend web_server
        mode tcp
        balance roundrobin
        stick-table type binary len 32 size 30k expire 30m
        acl clienthello req_ssl_hello_type 1
        acl serverhello rep_ssl_hello_type 2
        tcp-request inspect-delay 5s
        tcp-request content accept if clienthello
        tcp-response content accept if serverhello
        stick on payload_lv(43,1) if clienthello
        stick store-response payload_lv(43,1) if serverhello
        server s1 1.1.1.1:443
        server s2 2.2.2.2:443

-----Ursprüngliche Nachricht-----
Von: Baptiste [mailto:[email protected]] 
Gesendet: Dienstag, 06. August 2013 10:15
An: Wolfgang Grim
Cc: [email protected]
Betreff: Re: Force HTTPS with https backend

Hi Wolfgand,

First, turn the mode to http, otherwise header insertion can't work.

To fix your issue, simply append a the "ssl" keyword on the server line 
description.

Baptiste


On Tue, Aug 6, 2013 at 8:14 AM, Wolfgang Grim <[email protected]> wrote:
> Hi everybody,
>
>
>
> just started to use haproxy.
>
>
>
> What I want to achieve is to have a primary server and a secondary 
> which acts as backup server. All traffic should be forced to be 
> encrypted. As long as the backend connection is established via HTTP 
> it works, when I change to the following config, I am also able to connect 
> via HTTP.
>
>
>
> global
>
>         #log 127.0.0.1  local0
>
>         log 127.0.0.1   local1 notice
>
>         #log loghost    local0 info
>
>         maxconn 4096
>
>         #chroot /usr/share/haproxy
>
>         user haproxy
>
>         group haproxy
>
>         daemon
>
>         #debug
>
>         #quiet
>
>
>
> defaults
>
>         log     global        option  dontlognull
>
>         retries 3
>
>         option redispatch
>
>         maxconn 2000
>
>         contimeout      5000
>
>         clitimeout      50000
>
>         srvtimeout      50000
>
>
>
> frontend https_frontend
>
>
>
>         bind :80
>
>         redirect scheme https if !{ ssl_fc }
>
>
>
>         bind *:443 ssl crt /etc/haproxy/haproxy.pem
>
>         mode    tcp
>
>         #option httpchk HEAD / HTTP/1.0
>
>         reqadd X-Forwarded-Proto:\ https
>
>         default_backend web_server
>
>
>
> backend web_server
>
>         mode tcp
>
>         balance roundrobin
>
>         stick-table type ip size 200k expire 30m
>
>         stick on src
>
>         default-server inter 1s
>
>
>
>
>
> Best regards,
>
> Wolfgang Grim
>
>

Reply via email to