Hi Chris,
My answers inline.
On Mon, Oct 21, 2013 at 10:57 PM, Chris <bludge...@gmail.com> wrote:
> - If any of these domains and subdomains are called with http://, they need
> to be redirected to https://
# redirect http to https when connection is not ciphered
http-request redirect scheme https if !{ ssl_fc } { hdr(host)
www.test.com broker.test.com eclose.test.com images.test.com }
> - If a call comes in just to test.com, it needs to be redirected to https
> www.test.com:443
# redirect text.com:80 to https://www.test.com:443
http-request redirect prefix https://www.test.com if !{ ssl_fc } {
hdr(host) test.com }
> - Sessions need to stay alive after being offloaded to the backend web
> servers to port 80 on them. (Session keepalive or stickiness?)
do you mean persistence or connection keepalives ???
> - images.test.com does not need to have SSL offloaded and I'm wondering if I
> should incorporate this into haproxy at all, maybe for load balancing at
> some point, this seems like a good idea)
well, this is not what you asked in your first question, you wanted to
offload SSL on all your domains.
That said, I agree, ciphering images (usually) is useless.
# redirect http to https when connection is not ciphered
http-request redirect scheme https if !{ ssl_fc } { hdr(host)
www.test.com broker.test.com eclose.test.com }
since images.test.com is not in the list, the traffic will be accepted
on port 80.
> defaults
> mode http
> maxconn 512
> option dontlognull
> option http-server-close
> retries 3
> contimeout 60000
> clitimeout 60000
> srvtimeout 60000
>
> frontend haproxy_http
> bind 0.0.0.0:80
> timeout client 86400000
> acl is_test hdr_end(host) -i www.test.com
> acl is_broker_test hdr_end(host) -i broker.test.com
> acl is_eclose_test hdr_end(host) -i eclose.test.com
> acl is_images_test hdr_end(host) -i images.test.com
>
>
# redirect http to https when connection is not ciphered
http-request redirect scheme https if !{ ssl_fc } { hdr(host)
www.test.com broker.test.com eclose.test.com images.test.com }
# redirect text.com:80 to https://www.test.com:443
http-request redirect prefix https://www.test.com if !{ ssl_fc }
{ hdr(host) test.com }
use_backend is_images_test if { hdr(host) images.test.com }
>
>
>
> frontend haproxy_https
> bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/wildcard.pem
> log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ %CC\
> %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\
> {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],{+Q[ssl_c_i_dn]}\ %{+Q}r
> acl is_test_https hdr_end(host) -i www.test.com
> acl is_broker_test_https hdr_end(host) -i broker.test.com
> acl is_eclose_test_https hdr_end(host) -i eclose.test.com
> use_backend is_test_https_backend if is_test_https
> use_backend is_broker_https_backend if is_broker_test_https
> use_backend is_eclose_https_backend if is_eclose_test_https
>
>
>
> # backends
>
> backend is_test_https_backend
> mode http
> balance source
> option http-server-close
> server server1 192.168.33.70
> server server2 192.168.33.170
>
> backend is_broker_https_backend
> mode http
> balance source
> option http-server-close
> server server1 192.168.33.71
> server server2 192.168.33.171
>
> backend is_eclose_https_backend
> mode http
> balance source
> option http-server-close
> server server1 192.168.33.72
> server server2 192.168.33.172
>
> backend is_images_test
> mode http
> balance source
> option http-server-close
> server server1 192.168.33.73
> server server2 192.168.33.13
>
>
> I think I'm close, but just not sure if I'm sanely doing things. I've tried
> to put piece of information together from several different posts around the
> Internet, but I have found nothing that is concise enough to really make me
> understand what I'm doing wrong.
>
> Thank you SO much,
>
> Chris
configuration out of my head, with no testing, but should work.
Baptiste
