Thanks. Worked like a charm. On Tue, Aug 11, 2015 at 8:30 PM Igor Cicimov <[email protected]> wrote:
> > > On Tue, Aug 11, 2015 at 12:10 PM, Roman Gelfand <[email protected]> > wrote: > >> I am publishing horde webmail application. The horde itself is served >> internally via http protocol on apache. Please, see the configuration, >> below. The issue seems to be with css and image files as formatting is out >> wack. Please note, accessing the http site from intranet works. >> >> global >> log 127.0.0.1 local0 debug >> tune.ssl.default-dh-param 2048 >> maxconn 4096 >> user proxy >> group proxy >> daemon >> #debug >> #quiet >> >> defaults >> log global >> mode http >> option forwardfor >> option httplog >> option dontlognull >> option redispatch >> option http-server-close >> retries 3 >> maxconn 2000 >> timeout connect 5000 >> timeout client 50000 >> timeout server 50000 >> >> frontend farm_test_ssl >> mode http >> bind 0.0.0.0:443 ssl crt /etc/ssl/certs/cs.pem crt >> /etc/ssl/certs/remote.pem >> use_backend bk_cs_cert if { ssl_fc_sni cs.localdom.com } # content >> switching based on SNI >> use_backend bk_remote_cert if { ssl_fc_sni remote.localdom.com } # >> content switching based on SNI >> >> backend bk_cs_cert >> mode http >> server cs 192.168.8.108:80 check ssl verify none >> >> backend bk_remote_cert >> mode http >> server remail 192.168.8.166:80 check ssl verify none >> >> > > Roman, > > My guess would be a mixed content that every modern browser will block > these days. Meaning you request a page over https but the response page has > http links for the css and js files which the browser will refuse to load. > You can confirm that using the development tools in chrome or firefox just > to make sure this is the case. > > More details about ssl offloading can be find here: > http://blog.haproxy.com/2013/02/26/ssl-offloading-impact-on-web-applications/ > > In short, you need to tell the backend apache that the content needs to be > served via ssl. That is usually done by providing some headers in HAProxy: > > http-request set-header X-Forwarded-Proto https if { ssl_fc } > > then in Apache I have: > > SetEnvIfNoCase X-Forwarded-Proto https HTTPS=on > # Insure the pages requested over ssl are always over ssl > RewriteEngine On > RewriteCond %{HTTP_X_Forwarded_Proto} ^https$ > RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R,L] > > Hope this helps, in case I'm right that is :-). > Igor >
