Hello again Baptiste, Thank you for replying back to my questions, they are very helpful answers and I really do appreciate your time.
Concerning your question back about persistence or stickiness: > - Sessions need to stay alive after being offloaded to the backend web > servers to port 80 on them. (Session keepalive or stickiness?) do you mean persistence or connection keepalives ??? I meant for session persistence, and does the following allow persistence to happen correctly?: option http-server-close If it does, one final question would be how does one control the length of persistence, is that something controlled with a specific timeout variable? Thank you so much again, I really appreciate your help a lot. Chris -Chris On Tue, Oct 22, 2013 at 2:13 AM, Baptiste <bed...@gmail.com> wrote: > Hi Chris, > > My answers inline. > > On Mon, Oct 21, 2013 at 10:57 PM, Chris <bludge...@gmail.com> wrote: > > - If any of these domains and subdomains are called with http://, they > need > > to be redirected to https:// > > # redirect http to https when connection is not ciphered > http-request redirect scheme https if !{ ssl_fc } { hdr(host) > www.test.com broker.test.com eclose.test.com images.test.com } > > > > - If a call comes in just to test.com, it needs to be redirected to > https > > www.test.com:443 > > # redirect text.com:80 to https://www.test.com:443 > http-request redirect prefix https://www.test.com if !{ ssl_fc } { > hdr(host) test.com } > > > > - Sessions need to stay alive after being offloaded to the backend web > > servers to port 80 on them. (Session keepalive or stickiness?) > > do you mean persistence or connection keepalives ??? > > > > - images.test.com does not need to have SSL offloaded and I'm wondering > if I > > should incorporate this into haproxy at all, maybe for load balancing at > > some point, this seems like a good idea) > > well, this is not what you asked in your first question, you wanted to > offload SSL on all your domains. > That said, I agree, ciphering images (usually) is useless. > > # redirect http to https when connection is not ciphered > http-request redirect scheme https if !{ ssl_fc } { hdr(host) > www.test.com broker.test.com eclose.test.com } > > since images.test.com is not in the list, the traffic will be accepted > on port 80. > > > defaults > > mode http > > maxconn 512 > > option dontlognull > > option http-server-close > > retries 3 > > contimeout 60000 > > clitimeout 60000 > > srvtimeout 60000 > > > > frontend haproxy_http > > bind 0.0.0.0:80 > > timeout client 86400000 > > acl is_test hdr_end(host) -i www.test.com > > acl is_broker_test hdr_end(host) -i broker.test.com > > acl is_eclose_test hdr_end(host) -i eclose.test.com > > acl is_images_test hdr_end(host) -i images.test.com > > > > > # redirect http to https when connection is not ciphered > http-request redirect scheme https if !{ ssl_fc } { hdr(host) > www.test.com broker.test.com eclose.test.com images.test.com } > # redirect text.com:80 to https://www.test.com:443 > http-request redirect prefix https://www.test.com if !{ ssl_fc } > { hdr(host) test.com } > > use_backend is_images_test if { hdr(host) images.test.com } > > > > > > > > > frontend haproxy_https > > bind 0.0.0.0:443 ssl crt /etc/haproxy/certs/wildcard.pem > > log-format %ci:%cp\ [%t]\ %ft\ %b/%s\ %Tq/%Tw/%Tc/%Tr/%Tt\ %ST\ %B\ > %CC\ > > %CS\ %tsc\ %ac/%fc/%bc/%sc/%rc\ %sq/%bq\ %hr\ %hs\ > > {%[ssl_c_verify],%{+Q}[ssl_c_s_dn],{+Q[ssl_c_i_dn]}\ %{+Q}r > > acl is_test_https hdr_end(host) -i www.test.com > > acl is_broker_test_https hdr_end(host) -i broker.test.com > > acl is_eclose_test_https hdr_end(host) -i eclose.test.com > > use_backend is_test_https_backend if is_test_https > > use_backend is_broker_https_backend if > is_broker_test_https > > use_backend is_eclose_https_backend if is_eclose_test_https > > > > > > > > # backends > > > > backend is_test_https_backend > > mode http > > balance source > > option http-server-close > > server server1 192.168.33.70 > > server server2 192.168.33.170 > > > > backend is_broker_https_backend > > mode http > > balance source > > option http-server-close > > server server1 192.168.33.71 > > server server2 192.168.33.171 > > > > backend is_eclose_https_backend > > mode http > > balance source > > option http-server-close > > server server1 192.168.33.72 > > server server2 192.168.33.172 > > > > backend is_images_test > > mode http > > balance source > > option http-server-close > > server server1 192.168.33.73 > > server server2 192.168.33.13 > > > > > > I think I'm close, but just not sure if I'm sanely doing things. I've > tried > > to put piece of information together from several different posts around > the > > Internet, but I have found nothing that is concise enough to really make > me > > understand what I'm doing wrong. > > > > Thank you SO much, > > > > Chris > > > configuration out of my head, with no testing, but should work. > > Baptiste >