On 15.04.2016 16:01, Christian Ruppert wrote:
> Hi,
>
> would it be possible to inherit the SSL information from a SSL
> listener/frontend via PROXY protocol?
> So for example:
>
> listen ssl-relay
> mode tcp
>
> ...
>
> server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2
>
> listen ssl-rsa_ecc
> mode tcp
>
> ...
>
> bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt
> SSl-RSA.PEM user haproxy
>
> frontend http_https
> bind :80 # http
> bind unix@/var/run/haproxy_ssl.sock accept-proxy user haproxy # https
>
> redirect scheme https code 301 if !{ssl_fc}
>
>
> Here the ssl_fc and other SSL related ACLs do not work because the
> actual SSL termination has been done in the above ssl-rsa_ecc listener.
> Sharing that either internally or via the PROXY protocol would be really
> handy, if that's possible.
> For now we use the bind "id" to check whether it's the proxy connection
> or not but the above would be much easier/better IMHO.
For this specific case of http to https redirect I use the
X-Forwarded-Proto header. In the ssl frontend I do this:
http-request set-header X-Forwarded-Proto https
and in the plain http frontend I do this:
http-request redirect scheme https if !{ req.hdr(X-Forwarded-Proto) https }
You usually need to set this header anyway so the application knows it
needs to generate https URLs in the generated HTML.
Regards,
Dennis
