Hello everyone,
I have a question concerning session persistence with offloading SSL via
haproxy to backend nginx web servers running a PHP website.
Basically, I have a configuration that is performing the SSL offloading
successfully, however, it seems that session persistence is not working
properly as some of the images from the nginx web server are not showing
up, however the log in fields for this web server are showing up.
What needs to happen is that an http request comes into haproxy, http calls
get redirected to https, SSL is offloaded and the connection is handed over
to the relevant back-end - with session persistence in-tact via ACLs within
haproxy.
I have read that "http-server-close" will preserve the connection and keep
it persistent but I have not been able to get this to work. I have also
read that the type of balance used (such as round robin) can affect the
persistence of connections. I have also tried to use
"cookie PHPSESSID insert nocache indirect" but I just am having no luck as
there are a slew of configurations that can be used to do this task and I
have gone over the haproxy documentation again and again and I just am not
sure of the correct way of doing this. The haproxy documentation is very
thorough, but it is also very complex.
In an effort to try to get this working, below is the configuration for my
haproxy setup, I have stripped out all of the testing configurations that
I've been using to try to get it to work. I am hoping that someone might
be able to assist me with properly getting this configured to make sessions
persistent.
Your expertise and advice are greatly welcomed and very appreciated - I
thank you for your time.
---
global
log 127.0.0.1 local0
log 127.0.0.1 local1
user haproxy
group haproxy
daemon
defaults
log global
mode http
option httplog
option dontlognull
option redispatch
stats enable
maxconn 512
retries 3
contimeout 60000
clitimeout 60000
srvtimeout 60000
###### http frontend to redirect to https frontend
frontend https_frontend
bind 0.0.0.0:80
redirect scheme https if !{ ssl_fc }
###### https frontend to offload SSL to the backends
frontend haproxy_https
mode http
option http-server-close
bind 0.0.0.0:443 ssl crt /etc/haproxy/psl-wildcard/wildcard.pem ca-file
/etc/haproxy/psl-wildcard/wildcard.ca-bundle
acl is_psl_https hdr_end(host) -i www.test-site.com
acl is_broker_psl_https hdr_end(host) -i broker.test-site.com
acl is_eclose_psl_https hdr_end(host) -i eclose.test-site.com
use_backend is_psl_https_backend if is_psl_https
use_backend is_broker_https_backend if is_broker_psl_https
use_backend is_eclose_https_backend if is_eclose_psl_https
default_backend is_psl_https_backend
###### backends
backend is_psl_https_backend
mode http
balance source
option http-server-close
server server1 10.10.221.171:80
backend is_broker_https_backend
mode http
balance source
option http-server-close
server server1 10.10.221.172:80
backend is_eclose_https_backend
mode http
balance source
option http-server-close
server server1 10.10.221.173:80
listen admin 0.0.0.0:22002
mode http
stats uri /
----
Again, thank you very much.
Sincerely,
Chris
