On 3/29/2016 4:56 PM, Colin Leavett-Brown wrote:
> I have the following haproxy configuration:
>
> global
> daemon
> maxconn 2048
> tune.ssl.default-dh-param 1024
>
> defaults
> mode http
> timeout connect 5000ms
> timeout client 50000ms
> timeout server 50000ms
>
> frontend keystone_public
> bind beaver.heprc.uvic.ca:15000 ssl crt
> /etc/pki/tls/private/web_crt_key.pem
> reqadd X-Forwarded-Proto:\ https
> default_backend keystone_internal
>
> backend keystone_internal
> redirect scheme https code 301 if !{ ssl_fc }
> server beaver beaver:5000 check
<snip>
> However, a request using the wrong scheme gives the following:
>
> root@chimpanzee:/home/uvic# curl beaver.heprc.uvic.ca:15000
> curl: (52) Empty reply from server
> root@chimpanzee:/home/uvic# curl http://beaver.heprc.uvic.ca:15000
> curl: (52) Empty reply from server
> root@chimpanzee:/home/uvic#
You can't make a non-SSL request to the port listening with SSL. It
won't understand regular HTTP. This is how SSL works; it is not a
limitation or bug in haproxy.
You can only set up a redirect on a different frontend, listening on
another port WITHOUT SSL. And to do that, I would put the redirect in
the frontend, not the backend.
Here's a slightly redacted example of what I'm saying:
frontend fe-services-80
description Front end that accepts non-ssl requests
bind 70.xxx.yyy.75:80
redirect scheme https if !{ ssl_fc }
capture request header host len 32
frontend fe-services-443
description Front end that accepts SSL requests
bind 70.xxx.yyy.75:443 ssl crt
/etc/ssl/certs/local/services.nc.combined.pem no-sslv3 alpn http/1.1 npn
http/1.1
capture request header host len 32
default_backend be-services-8443
backend be-services-8443
description Back end for prod services requests.
cookie NOTSHOWN insert indirect nocache
server frontier 10.100.2.25:8443 ssl weight 100 cookie frontier
track chk-8443/frontier
server fremont 10.100.2.26:8443 ssl weight 100 cookie fremont
track chk-8443/fremont
Thanks,
Shawn
