On Wed, Jun 25, 2014 at 5:47 PM, Claus Strommer <[email protected]> wrote: > Hello all, > > For reasons that I'll spare you I'm working on replacing a Pound balancer > with HAProxy 1.5. I am mostly happy with my configuration, except for one > thing: > > All of my backends accept http, except for a Node.js server which accepts > mixed http and https. This server has a login page that explicitly requires > an SSL connection by checking the local socket used for the connection. In > Pound this was done by setting the HTTPS parameter on the backend, however > from my understanding HAProxy requires that I use TCP passthrough to let the > backend handle SSL. I am uncertain as to how I should shape the HAProxy > configuration to achieve this, as I would like the TCP backend to listen on > the same port as on the HTTP backend. My (simplified) config looks thus: > > > --------8< snip ---------------- > frontend httpweb > bind *:80 > bind *:443 ssl crt /etc/ssl/private/primal_bundle_2014.pem > mode http > option httplog > > acl host_about hdr_end(host) -i about.site.com > acl host_api hdr_end(host) -i api.site.com > > redirect scheme https if !{ ssl_fc } require_ssl > redirect scheme http if { ssl_fc } require_nossl > > use backend about:3000 if host_about > use backend api:80 if host_api > > backend about:3000 > mode http > balance roundrobin > option httplog > #option httpclose > option forwardfor > server about.backend.com about.backend.com:3000 check inter 5000 > > backend api:80 > mode http > balance roundrobin > option httplog > #option httpclose > option forwardfor > server api.backend.com api.backend.com:80 check inter 5000 > > backend about:3001 > mode http > balance roundrobin > option httplog > #option httpclose > option forwardfor > server about.backend.com about.backend.com:3001 check inter 5000 > --------8< snip ---------------- > > This of course sends the client into a redirect loop (301) if I hit e.g. > https://about.site.com/login , because the connection between HAProxy and > Node is non-SSL, so it redirects me back to that URL expecting the > subsequent connection to be HTTPS. If I add an about:3001 backend (3001 is > Node's SSL port) I of course get a 502 error because HAProxy connects to it > via non-SSL protocol. I also tried to set the backend to tcp mode but that > failed because the frontend is http. > > So my guess is that I need to add a tcp frontend to handle specifically > HTTPS connections for about.site.com. How would I go about doing that? Can > I have both a TCP and HTTP frontend bind to the same port? How would I > shape the ACLs to direct https://about.site.com to the TCP frontend, and > everything else to the HTTP frontend? > > > > -- > Claus Strommer, Dev/Ops Engineering Specialist
Hi Claus, first, I don't understand your configuration. You may have cut some part of it, but you cut too much :) We need to know the content of require_ssl and require_nossl. Also, the backend 3001 is not used. Maybe this could help: if you want to cipher a connection to a server, then simply add the keyword "ssl" on the server line. (check also the global parameter ssl-server-verify) Baptiste
