On 3/29/2016 4:56 PM, Colin Leavett-Brown wrote: > I have the following haproxy configuration: > > global > daemon > maxconn 2048 > tune.ssl.default-dh-param 1024 > > defaults > mode http > timeout connect 5000ms > timeout client 50000ms > timeout server 50000ms > > frontend keystone_public > bind beaver.heprc.uvic.ca:15000 ssl crt > /etc/pki/tls/private/web_crt_key.pem > reqadd X-Forwarded-Proto:\ https > default_backend keystone_internal > > backend keystone_internal > redirect scheme https code 301 if !{ ssl_fc } > server beaver beaver:5000 check
<snip> > However, a request using the wrong scheme gives the following: > > root@chimpanzee:/home/uvic# curl beaver.heprc.uvic.ca:15000 > curl: (52) Empty reply from server > root@chimpanzee:/home/uvic# curl http://beaver.heprc.uvic.ca:15000 > curl: (52) Empty reply from server > root@chimpanzee:/home/uvic# You can't make a non-SSL request to the port listening with SSL. It won't understand regular HTTP. This is how SSL works; it is not a limitation or bug in haproxy. You can only set up a redirect on a different frontend, listening on another port WITHOUT SSL. And to do that, I would put the redirect in the frontend, not the backend. Here's a slightly redacted example of what I'm saying: frontend fe-services-80 description Front end that accepts non-ssl requests bind 70.xxx.yyy.75:80 redirect scheme https if !{ ssl_fc } capture request header host len 32 frontend fe-services-443 description Front end that accepts SSL requests bind 70.xxx.yyy.75:443 ssl crt /etc/ssl/certs/local/services.nc.combined.pem no-sslv3 alpn http/1.1 npn http/1.1 capture request header host len 32 default_backend be-services-8443 backend be-services-8443 description Back end for prod services requests. cookie NOTSHOWN insert indirect nocache server frontier 10.100.2.25:8443 ssl weight 100 cookie frontier track chk-8443/frontier server fremont 10.100.2.26:8443 ssl weight 100 cookie fremont track chk-8443/fremont Thanks, Shawn