On 15.04.2016 16:01, Christian Ruppert wrote: > Hi, > > would it be possible to inherit the SSL information from a SSL > listener/frontend via PROXY protocol? > So for example: > > listen ssl-relay > mode tcp > > ... > > server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2 > > listen ssl-rsa_ecc > mode tcp > > ... > > bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt > SSl-RSA.PEM user haproxy > > frontend http_https > bind :80 # http > bind unix@/var/run/haproxy_ssl.sock accept-proxy user haproxy # https > > redirect scheme https code 301 if !{ssl_fc} > > > Here the ssl_fc and other SSL related ACLs do not work because the > actual SSL termination has been done in the above ssl-rsa_ecc listener. > Sharing that either internally or via the PROXY protocol would be really > handy, if that's possible. > For now we use the bind "id" to check whether it's the proxy connection > or not but the above would be much easier/better IMHO.
For this specific case of http to https redirect I use the X-Forwarded-Proto header. In the ssl frontend I do this: http-request set-header X-Forwarded-Proto https and in the plain http frontend I do this: http-request redirect scheme https if !{ req.hdr(X-Forwarded-Proto) https } You usually need to set this header anyway so the application knows it needs to generate https URLs in the generated HTML. Regards, Dennis