Whoops!
Just to be safe, here's the whole thing again, with additions
--------8< snip ----------------
frontend httpweb
bind *:80
bind *:443 ssl crt /etc/ssl/private/primal_bundle_2014.pem
mode http
option httplog
acl host_about hdr_end(host) -i about.site.com
acl host_api hdr_end(host) -i api.site.com
acl require_ssl hdr_end(host) -i api.site.com
acl host_error hdr_end(host) -i error.site.com
acl require_nossl hdr_end(host) -i error.site.com
redirect scheme https if !{ ssl_fc } require_ssl
redirect scheme http if { ssl_fc } require_nossl
use backend about:3000 if host_about
use backend api:80 if host_api
use_backend nginx:8080 if host_error
backend about:3000
mode http
balance roundrobin
option httplog
#option httpclose
option forwardfor
server about.backend.com about.backend.com:3000 check inter 5000
backend api:80
mode http
balance roundrobin
option httplog
#option httpclose
option forwardfor
server api.backend.com api.backend.com:80 check inter 5000
backend about:3001
mode http
balance roundrobin
option httplog
#option httpclose
option forwardfor
server about.backend.com about.backend.com:3001 check inter 5000
backend nginx:8080
mode http
balance roundrobin
option httplog
#option httpclose
option forwardfor
server localhost localhost:8080 check inter 5000
--------8< snip ----------------
Basically, all our backends except host_about and host_error go through
SSL. host_error is forced to HTTP, host_about is kept at whatever the
client requests.
<http://api.site.com>
On Wed, Jun 25, 2014 at 3:37 PM, Baptiste <[email protected]> wrote:
> On Wed, Jun 25, 2014 at 5:47 PM, Claus Strommer
> <[email protected]> wrote:
> > Hello all,
> >
> > For reasons that I'll spare you I'm working on replacing a Pound balancer
> > with HAProxy 1.5. I am mostly happy with my configuration, except for
> one
> > thing:
> >
> > All of my backends accept http, except for a Node.js server which accepts
> > mixed http and https. This server has a login page that explicitly
> requires
> > an SSL connection by checking the local socket used for the connection.
> In
> > Pound this was done by setting the HTTPS parameter on the backend,
> however
> > from my understanding HAProxy requires that I use TCP passthrough to let
> the
> > backend handle SSL. I am uncertain as to how I should shape the HAProxy
> > configuration to achieve this, as I would like the TCP backend to listen
> on
> > the same port as on the HTTP backend. My (simplified) config looks thus:
> >
> >
> > --------8< snip ----------------
> > frontend httpweb
> > bind *:80
> > bind *:443 ssl crt /etc/ssl/private/primal_bundle_2014.pem
> > mode http
> > option httplog
> >
> > acl host_about hdr_end(host) -i about.site.com
> > acl host_api hdr_end(host) -i api.site.com
> >
> > redirect scheme https if !{ ssl_fc } require_ssl
> > redirect scheme http if { ssl_fc } require_nossl
> >
> > use backend about:3000 if host_about
> > use backend api:80 if host_api
> >
> > backend about:3000
> > mode http
> > balance roundrobin
> > option httplog
> > #option httpclose
> > option forwardfor
> > server about.backend.com about.backend.com:3000 check inter 5000
> >
> > backend api:80
> > mode http
> > balance roundrobin
> > option httplog
> > #option httpclose
> > option forwardfor
> > server api.backend.com api.backend.com:80 check inter 5000
> >
> > backend about:3001
> > mode http
> > balance roundrobin
> > option httplog
> > #option httpclose
> > option forwardfor
> > server about.backend.com about.backend.com:3001 check inter 5000
> > --------8< snip ----------------
> >
> > This of course sends the client into a redirect loop (301) if I hit e.g.
> > https://about.site.com/login , because the connection between HAProxy
> and
> > Node is non-SSL, so it redirects me back to that URL expecting the
> > subsequent connection to be HTTPS. If I add an about:3001 backend (3001
> is
> > Node's SSL port) I of course get a 502 error because HAProxy connects to
> it
> > via non-SSL protocol. I also tried to set the backend to tcp mode but
> that
> > failed because the frontend is http.
> >
> > So my guess is that I need to add a tcp frontend to handle specifically
> > HTTPS connections for about.site.com. How would I go about doing that?
> Can
> > I have both a TCP and HTTP frontend bind to the same port? How would I
> > shape the ACLs to direct https://about.site.com to the TCP frontend, and
> > everything else to the HTTP frontend?
> >
> >
> >
> > --
> > Claus Strommer, Dev/Ops Engineering Specialist
>
>
> Hi Claus,
>
> first, I don't understand your configuration.
> You may have cut some part of it, but you cut too much :)
> We need to know the content of require_ssl and require_nossl.
> Also, the backend 3001 is not used.
>
> Maybe this could help: if you want to cipher a connection to a server,
> then simply add the keyword "ssl" on the server line.
> (check also the global parameter ssl-server-verify)
>
> Baptiste
>
--
Claus Strommer, Dev/Ops Engineering Specialist
