Hello, I was hoping someone could help me out here, I'm fairly new to haproxy and what I think I need should be fairly simple to do for someone that has some experience with it, but for me, I am not having the best of luck.
*Here is my scenario:* I have an haproxy server set up that I want to use for SSL offloading, I have compiled it with 1.5-dev19 and added the SSL options into the build out, this part is done. I simply need this haproxy to redirect port 80 traffic to 443 for 3 of the 4 sub-domains listed below, and then the haproxy server to offload SSL to some backend web servers s via a wildcard cert. I have generated a wildcard cert for testing already and compiled together the PEM file that haproxy currently sees as OK. *Said domain: * test.com *Sub-domains: * www.test.com broker.test.com eclose.test.com images.test.com (globally open to everyone on port 80, no ssl offloading needed) *Requirements: * - If any of these domains and subdomains are called with http://, they need to be redirected to https:// - If a call comes in just to test.com, it needs to be redirected to https www.test.com:443 - Sessions need to stay alive after being offloaded to the backend web servers to port 80 on them. (Session keepalive or stickiness?) - images.test.com does not need to have SSL offloaded and I'm wondering if I should incorporate this into haproxy at all, maybe for load balancing at some point, this seems like a good idea) I want to make it known that I have tried giving this a shot using the ACLs for haproxy and attempting to use the hdr_end(host) statements, but I am not certain if this is correct, maybe I should be using hdr_begin(host) As humbling as this might be, I will provide my best attempt at getting this to work, maybe I'm way off, maybe I'm close, but I'm at my wit's end on this and was hoping the community of professional might be able to steer me in the right direction, below is my attempt at getting the above scenario to work. I thank you very much for your time and help. *--- haproxy.conf ---* defaults mode http maxconn 512 option dontlognull option http-server-close # session stickiness/persistence? retries 3 contimeout 60000 clitimeout 60000 srvtimeout 60000 frontend haproxy_http bind 0.0.0.0:80 <http://0.0.0.0/> timeout client 86400000 acl is_test hdr_end(host) -i www.test.com acl is_broker_test hdr_end(host) -i broker.test.com acl is_eclose_test hdr_end(host) -i eclose.test.com acl is_images_test hdr_end(host) -i images.test.com redirect location https ://www.test.com if is_test redirect location https ://broker.test.com if is_broker_test redirect location https ://eclose.test.com if is_eclose_test use_backend is_images_test if is_images_test frontend haproxy_https bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/wildcard.pem log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],{+Q[ssl_c_i_dn]}\ %{+Q}r acl is_test_https hdr_end(host) -i www.test.com acl is_broker_test_https hdr_end(host) -i broker.test.com acl is_eclose_test_https hdr_end(host) -i eclose.test.com use_backend is_test_https_backend if is_test_https use_backend is_broker_https_backend if is_broker_test_https use_backend is_eclose_https_backend if is_eclose_test_https # backends backend is_test_https_backend mode http balance source option http-server-close server server1 192.168.33.70 server server2 192.168.33.170 backend is_broker_https_backend mode http balance source option http-server-close server server1 192.168.33.71 server server2 192.168.33.171 backend is_eclose_https_backend mode http balance source option http-server-close server server1 192.168.33.72 server server2 192.168.33.172 backend is_images_test mode http balance source option http-server-close server server1 192.168.33.73 server server2 192.168.33.13 I think I'm close, but just not sure if I'm sanely doing things. I've tried to put piece of information together from several different posts around the Internet, but I have found nothing that is concise enough to really make me understand what I'm doing wrong. Thank you SO much, Chris