Hello,
I was hoping someone could help me out here, I'm fairly new to haproxy and
what I think I need should be fairly simple to do for someone that has some
experience with it, but for me, I am not having the best of luck.
*Here is my scenario:*
I have an haproxy server set up that I want to use for SSL offloading, I
have compiled it with 1.5-dev19 and added the SSL options into the build
out, this part is done.
I simply need this haproxy to redirect port 80 traffic to 443 for 3 of the
4 sub-domains listed below, and then the haproxy server to offload SSL to
some backend web servers s via a wildcard cert. I have generated a
wildcard cert for testing already and compiled together the PEM file that
haproxy currently sees as OK.
*Said domain: * test.com
*Sub-domains: * www.test.com
broker.test.com
eclose.test.com
images.test.com (globally open to everyone on port 80, no ssl offloading
needed)
*Requirements: *
- If any of these domains and subdomains are called with http://, they need
to be redirected to https://
- If a call comes in just to test.com, it needs to be redirected to https
www.test.com:443
- Sessions need to stay alive after being offloaded to the backend web
servers to port 80 on them. (Session keepalive or stickiness?)
- images.test.com does not need to have SSL offloaded and I'm wondering if
I should incorporate this into haproxy at all, maybe for load balancing at
some point, this seems like a good idea)
I want to make it known that I have tried giving this a shot using the ACLs
for haproxy and
attempting to use the hdr_end(host) statements, but I am not certain if
this is correct, maybe I should be using hdr_begin(host)
As humbling as this might be, I will provide my best attempt at getting
this to work, maybe I'm way off, maybe I'm close, but I'm at my wit's end
on this and was hoping the community of professional might be able to steer
me in the right direction, below is my attempt at getting the above
scenario to work.
I thank you very much for your time and help.
*--- haproxy.conf ---*
defaults
mode http
maxconn 512
option dontlognull
option http-server-close # session stickiness/persistence?
retries 3
contimeout 60000
clitimeout 60000
srvtimeout 60000
frontend haproxy_http
bind 0.0.0.0:80 <http://0.0.0.0/>
timeout client 86400000
acl is_test hdr_end(host) -i www.test.com
acl is_broker_test hdr_end(host) -i broker.test.com
acl is_eclose_test hdr_end(host) -i eclose.test.com
acl is_images_test hdr_end(host) -i images.test.com
redirect location https ://www.test.com if is_test
redirect location https ://broker.test.com if is_broker_test
redirect location https ://eclose.test.com if is_eclose_test
use_backend is_images_test if is_images_test
frontend haproxy_https
bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/wildcard.pem
log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\
%CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\
{%[ssl_c_verify],%{+Q}[ssl_c_s_dn],{+Q[ssl_c_i_dn]}\ %{+Q}r
acl is_test_https hdr_end(host) -i www.test.com
acl is_broker_test_https hdr_end(host) -i broker.test.com
acl is_eclose_test_https hdr_end(host) -i eclose.test.com
use_backend is_test_https_backend if is_test_https
use_backend is_broker_https_backend if is_broker_test_https
use_backend is_eclose_https_backend if is_eclose_test_https
# backends
backend is_test_https_backend
mode http
balance source
option http-server-close
server server1 192.168.33.70
server server2 192.168.33.170
backend is_broker_https_backend
mode http
balance source
option http-server-close
server server1 192.168.33.71
server server2 192.168.33.171
backend is_eclose_https_backend
mode http
balance source
option http-server-close
server server1 192.168.33.72
server server2 192.168.33.172
backend is_images_test
mode http
balance source
option http-server-close
server server1 192.168.33.73
server server2 192.168.33.13
I think I'm close, but just not sure if I'm sanely doing things. I've
tried to put piece of information together from several different posts
around the Internet, but I have found nothing that is concise enough to
really make me understand what I'm doing wrong.
Thank you SO much,
Chris
