Hello everyone, I have a question concerning session persistence with offloading SSL via haproxy to backend nginx web servers running a PHP website.
Basically, I have a configuration that is performing the SSL offloading successfully, however, it seems that session persistence is not working properly as some of the images from the nginx web server are not showing up, however the log in fields for this web server are showing up. What needs to happen is that an http request comes into haproxy, http calls get redirected to https, SSL is offloaded and the connection is handed over to the relevant back-end - with session persistence in-tact via ACLs within haproxy. I have read that "http-server-close" will preserve the connection and keep it persistent but I have not been able to get this to work. I have also read that the type of balance used (such as round robin) can affect the persistence of connections. I have also tried to use "cookie PHPSESSID insert nocache indirect" but I just am having no luck as there are a slew of configurations that can be used to do this task and I have gone over the haproxy documentation again and again and I just am not sure of the correct way of doing this. The haproxy documentation is very thorough, but it is also very complex. In an effort to try to get this working, below is the configuration for my haproxy setup, I have stripped out all of the testing configurations that I've been using to try to get it to work. I am hoping that someone might be able to assist me with properly getting this configured to make sessions persistent. Your expertise and advice are greatly welcomed and very appreciated - I thank you for your time. --- global log 127.0.0.1 local0 log 127.0.0.1 local1 user haproxy group haproxy daemon defaults log global mode http option httplog option dontlognull option redispatch stats enable maxconn 512 retries 3 contimeout 60000 clitimeout 60000 srvtimeout 60000 ###### http frontend to redirect to https frontend frontend https_frontend bind 0.0.0.0:80 redirect scheme https if !{ ssl_fc } ###### https frontend to offload SSL to the backends frontend haproxy_https mode http option http-server-close bind 0.0.0.0:443 ssl crt /etc/haproxy/psl-wildcard/wildcard.pem ca-file /etc/haproxy/psl-wildcard/wildcard.ca-bundle acl is_psl_https hdr_end(host) -i www.test-site.com acl is_broker_psl_https hdr_end(host) -i broker.test-site.com acl is_eclose_psl_https hdr_end(host) -i eclose.test-site.com use_backend is_psl_https_backend if is_psl_https use_backend is_broker_https_backend if is_broker_psl_https use_backend is_eclose_https_backend if is_eclose_psl_https default_backend is_psl_https_backend ###### backends backend is_psl_https_backend mode http balance source option http-server-close server server1 10.10.221.171:80 backend is_broker_https_backend mode http balance source option http-server-close server server1 10.10.221.172:80 backend is_eclose_https_backend mode http balance source option http-server-close server server1 10.10.221.173:80 listen admin 0.0.0.0:22002 mode http stats uri / ---- Again, thank you very much. Sincerely, Chris