Hi Chris, My answers inline.
On Mon, Oct 21, 2013 at 10:57 PM, Chris <bludge...@gmail.com> wrote: > - If any of these domains and subdomains are called with http://, they need > to be redirected to https:// # redirect http to https when connection is not ciphered http-request redirect scheme https if !{ ssl_fc } { hdr(host) www.test.com broker.test.com eclose.test.com images.test.com } > - If a call comes in just to test.com, it needs to be redirected to https > www.test.com:443 # redirect text.com:80 to https://www.test.com:443 http-request redirect prefix https://www.test.com if !{ ssl_fc } { hdr(host) test.com } > - Sessions need to stay alive after being offloaded to the backend web > servers to port 80 on them. (Session keepalive or stickiness?) do you mean persistence or connection keepalives ??? > - images.test.com does not need to have SSL offloaded and I'm wondering if I > should incorporate this into haproxy at all, maybe for load balancing at > some point, this seems like a good idea) well, this is not what you asked in your first question, you wanted to offload SSL on all your domains. That said, I agree, ciphering images (usually) is useless. # redirect http to https when connection is not ciphered http-request redirect scheme https if !{ ssl_fc } { hdr(host) www.test.com broker.test.com eclose.test.com } since images.test.com is not in the list, the traffic will be accepted on port 80. > defaults > mode http > maxconn 512 > option dontlognull > option http-server-close > retries 3 > contimeout 60000 > clitimeout 60000 > srvtimeout 60000 > > frontend haproxy_http > bind 0.0.0.0:80 > timeout client 86400000 > acl is_test hdr_end(host) -i www.test.com > acl is_broker_test hdr_end(host) -i broker.test.com > acl is_eclose_test hdr_end(host) -i eclose.test.com > acl is_images_test hdr_end(host) -i images.test.com > > # redirect http to https when connection is not ciphered http-request redirect scheme https if !{ ssl_fc } { hdr(host) www.test.com broker.test.com eclose.test.com images.test.com } # redirect text.com:80 to https://www.test.com:443 http-request redirect prefix https://www.test.com if !{ ssl_fc } { hdr(host) test.com } use_backend is_images_test if { hdr(host) images.test.com } > > > > frontend haproxy_https > bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/wildcard.pem > log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\ > %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ > {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],{+Q[ssl_c_i_dn]}\ %{+Q}r > acl is_test_https hdr_end(host) -i www.test.com > acl is_broker_test_https hdr_end(host) -i broker.test.com > acl is_eclose_test_https hdr_end(host) -i eclose.test.com > use_backend is_test_https_backend if is_test_https > use_backend is_broker_https_backend if is_broker_test_https > use_backend is_eclose_https_backend if is_eclose_test_https > > > > # backends > > backend is_test_https_backend > mode http > balance source > option http-server-close > server server1 192.168.33.70 > server server2 192.168.33.170 > > backend is_broker_https_backend > mode http > balance source > option http-server-close > server server1 192.168.33.71 > server server2 192.168.33.171 > > backend is_eclose_https_backend > mode http > balance source > option http-server-close > server server1 192.168.33.72 > server server2 192.168.33.172 > > backend is_images_test > mode http > balance source > option http-server-close > server server1 192.168.33.73 > server server2 192.168.33.13 > > > I think I'm close, but just not sure if I'm sanely doing things. I've tried > to put piece of information together from several different posts around the > Internet, but I have found nothing that is concise enough to really make me > understand what I'm doing wrong. > > Thank you SO much, > > Chris configuration out of my head, with no testing, but should work. Baptiste