Hi Dennis,
On 2016-04-16 02:13, Dennis Jacobfeuerborn wrote:
On 15.04.2016 16:01, Christian Ruppert wrote:
Hi,
would it be possible to inherit the SSL information from a SSL
listener/frontend via PROXY protocol?
So for example:
listen ssl-relay
mode tcp
...
server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2
listen ssl-rsa_ecc
mode tcp
...
bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt
SSl-RSA.PEM user haproxy
frontend http_https
bind :80 # http
bind unix@/var/run/haproxy_ssl.sock accept-proxy user haproxy #
https
redirect scheme https code 301 if !{ssl_fc}
Here the ssl_fc and other SSL related ACLs do not work because the
actual SSL termination has been done in the above ssl-rsa_ecc
listener.
Sharing that either internally or via the PROXY protocol would be
really
handy, if that's possible.
For now we use the bind "id" to check whether it's the proxy
connection
or not but the above would be much easier/better IMHO.
For this specific case of http to https redirect I use the
X-Forwarded-Proto header. In the ssl frontend I do this:
http-request set-header X-Forwarded-Proto https
and in the plain http frontend I do this:
http-request redirect scheme https if !{ req.hdr(X-Forwarded-Proto)
https }
The problem here is that one could set that in a plain http request as
well and would avoid some redirects and whatnot, depending on what you
do based on what decision. You may also want the other SSL data, cipher,
version etc. Since 1.6 you can set variables, ok, but somehow passing
that kind of information could be really useful I guess.
You usually need to set this header anyway so the application knows it
needs to generate https URLs in the generated HTML.
Regards,
Dennis
--
Regards,
Christian Ruppert
