On Tue, Mar 29, 2016 at 06:06:50PM -0600, Shawn Heisey wrote:
> You can only set up a redirect on a different frontend, listening on
> another port WITHOUT SSL. And to do that, I would put the redirect in
> the frontend, not the backend.
>
> Here's a slightly redacted example of what I'm saying:
>
> frontend fe-services-80
> description Front end that accepts non-ssl requests
> bind 70.xxx.yyy.75:80
> redirect scheme https if !{ ssl_fc }
> capture request header host len 32
>
> frontend fe-services-443
> description Front end that accepts SSL requests
> bind 70.xxx.yyy.75:443 ssl crt
> /etc/ssl/certs/local/services.nc.combined.pem no-sslv3 alpn http/1.1 npn
> http/1.1
> capture request header host len 32
> default_backend be-services-8443
note that your can further simplify it by having a single frontend
with two "bind" lines :
frontend fe-services-80
bind 70.xxx.yyy.75:80
bind 70.xxx.yyy.75:443 ssl crt
/etc/ssl/certs/local/services.nc.combined.pem no-sslv3 alpn http/1.1 npn
http/1.1
redirect scheme https if !{ ssl_fc }
capture request header host len 32
Willy
