I too am interested in this functionality. Looking at the proxy protocol
documentation
(http://www.haproxy.org/download/1.6/doc/proxy-protocol.txt), it seems
that the requisite information is present in the PP2 header: " The
PP2_CLIENT_SSL flag indicates that the client connected over SSL/TLS.".

Looking through the source it seems haproxy adds this when sending PP2,
but not when receiving it.

-Patrick

On 2016/4/16 04:57, Christian Ruppert wrote:
> Hi Dennis,
>
> On 2016-04-16 02:13, Dennis Jacobfeuerborn wrote:
>> On 15.04.2016 16:01, Christian Ruppert wrote:
>>> Hi,
>>>
>>> would it be possible to inherit the SSL information from a SSL
>>> listener/frontend via PROXY protocol?
>>> So for example:
>>>
>>> listen ssl-relay
>>>     mode tcp
>>>
>>>     ...
>>>
>>>     server rsa unix@/var/run/haproxy_ssl_rsa.sock send-proxy-v2
>>>
>>> listen ssl-rsa_ecc
>>>     mode tcp
>>>
>>>     ...
>>>
>>>     bind unix@/var/run/haproxy_ssl_rsa.sock accept-proxy ssl crt
>>> SSl-RSA.PEM user haproxy
>>>
>>> frontend http_https
>>>     bind :80 # http
>>>     bind unix@/var/run/haproxy_ssl.sock accept-proxy user haproxy #
>>> https
>>>
>>>     redirect scheme https code 301 if !{ssl_fc}
>>>
>>>
>>> Here the ssl_fc and other SSL related ACLs do not work because the
>>> actual SSL termination has been done in the above ssl-rsa_ecc listener.
>>> Sharing that either internally or via the PROXY protocol would be
>>> really
>>> handy, if that's possible.
>>> For now we use the bind "id" to check whether it's the proxy connection
>>> or not but the above would be much easier/better IMHO.
>>
>> For this specific case of http to https redirect I use the
>> X-Forwarded-Proto header. In the ssl frontend I do this:
>>
>> http-request set-header X-Forwarded-Proto https
>>
>> and in the plain http frontend I do this:
>>
>> http-request redirect scheme https if !{ req.hdr(X-Forwarded-Proto)
>> https }
>
> The problem here is that one could set that in a plain http request as
> well and would avoid some redirects and whatnot, depending on what you
> do based on what decision. You may also want the other SSL data,
> cipher, version etc. Since 1.6 you can set variables, ok, but somehow
> passing that kind of information could be really useful I guess.
>
>>
>> You usually need to set this header anyway so the application knows it
>> needs to generate https URLs in the generated HTML.
>>
>> Regards,
>>   Dennis
>

Reply via email to