Hi Wolfgang, looks good as well with this configuration. But you're not performing any SSL offloading :)
Baptiste On Wed, Aug 7, 2013 at 7:27 AM, Wolfgang Grim <[email protected]> wrote: > Hello Baptiste, > > thank you for your help, I found a solution which is a bit different but is > also working (I think the traffic is just passed in my configuration). The > config is: > > global > log 127.0.0.1 local1 notice > maxconn 4096 > user haproxy > group haproxy > daemon > > defaults > log global > option dontlognull > retries 3 > option redispatch > maxconn 2000 > contimeout 5000 > clitimeout 50000 > srvtimeout 50000 > > frontend http_frontend > bind :80 > mode http > redirect scheme https if !{ ssl_fc } > > frontend https_frontend > bind *:443 > mode tcp > default_backend web_server > > backend web_server > mode tcp > balance roundrobin > stick-table type binary len 32 size 30k expire 30m > acl clienthello req_ssl_hello_type 1 > acl serverhello rep_ssl_hello_type 2 > tcp-request inspect-delay 5s > tcp-request content accept if clienthello > tcp-response content accept if serverhello > stick on payload_lv(43,1) if clienthello > stick store-response payload_lv(43,1) if serverhello > server s1 1.1.1.1:443 > server s2 2.2.2.2:443 > > -----Ursprüngliche Nachricht----- > Von: Baptiste [mailto:[email protected]] > Gesendet: Dienstag, 06. August 2013 10:15 > An: Wolfgang Grim > Cc: [email protected] > Betreff: Re: Force HTTPS with https backend > > Hi Wolfgand, > > First, turn the mode to http, otherwise header insertion can't work. > > To fix your issue, simply append a the "ssl" keyword on the server line > description. > > Baptiste > > > On Tue, Aug 6, 2013 at 8:14 AM, Wolfgang Grim <[email protected]> wrote: >> Hi everybody, >> >> >> >> just started to use haproxy. >> >> >> >> What I want to achieve is to have a primary server and a secondary >> which acts as backup server. All traffic should be forced to be >> encrypted. As long as the backend connection is established via HTTP >> it works, when I change to the following config, I am also able to connect >> via HTTP. >> >> >> >> global >> >> #log 127.0.0.1 local0 >> >> log 127.0.0.1 local1 notice >> >> #log loghost local0 info >> >> maxconn 4096 >> >> #chroot /usr/share/haproxy >> >> user haproxy >> >> group haproxy >> >> daemon >> >> #debug >> >> #quiet >> >> >> >> defaults >> >> log global option dontlognull >> >> retries 3 >> >> option redispatch >> >> maxconn 2000 >> >> contimeout 5000 >> >> clitimeout 50000 >> >> srvtimeout 50000 >> >> >> >> frontend https_frontend >> >> >> >> bind :80 >> >> redirect scheme https if !{ ssl_fc } >> >> >> >> bind *:443 ssl crt /etc/haproxy/haproxy.pem >> >> mode tcp >> >> #option httpchk HEAD / HTTP/1.0 >> >> reqadd X-Forwarded-Proto:\ https >> >> default_backend web_server >> >> >> >> backend web_server >> >> mode tcp >> >> balance roundrobin >> >> stick-table type ip size 200k expire 30m >> >> stick on src >> >> default-server inter 1s >> >> >> >> >> >> Best regards, >> >> Wolfgang Grim >> >>
