I am using haproxy in combination with stunnel to perform SSL. My
backend servers expect an X-Forwarded-Proto: https header to indicate
that the request was sent over SSL. If this header is missing, the
request is redirected to the https:// flavor of the URL.
However, with haproxy-1.5-dev5, I am seeing that the header is only
added to the first request of the connection. Subsequent requests are
missing this header. Below is an example from a tcpdump.
--
GET /private/ HTTP/1.1
Host: beta.mysite.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML,
like Gecko) Chrome/11.0.696.16 Safari/534.24
Accept:
application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sessionid=03412c52b518e63558dc3d2418b52dc9
X-Forwarded-Proto: http
X-Forwarded-For: 10.10.10.10
HTTP/1.1 302 FOUND
Date: Tue, 29 Mar 2011 16:28:45 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: sessionid=03412c52b518e63558dc3d2418b52dc9; expires=Tue,
29-Mar-2011 16:48:45 GMT; Max-Age=1200; Path=/
Location: https://beta.mysite.com/private/
Content-Length: 0
Keep-Alive: timeout=3, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
GET /private/ HTTP/1.1
Host: beta.mysite.com
Connection: keep-alive
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.24 (KHTML,
like Gecko) Chrome/11.0.696.16 Safari/534.24
Accept:
application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: sessionid=03412c52b518e63558dc3d2418b52dc9
HTTP/1.1 302 FOUND
Date: Tue, 29 Mar 2011 16:28:45 GMT
Server: Apache/2.2.3 (CentOS)
Set-Cookie: sessionid=03412c52b518e63558dc3d2418b52dc9; expires=Tue,
29-Mar-2011 16:48:45 GMT; Max-Age=1200; Path=/
Location: https://beta.mysite.com/private/
Content-Length: 0
Keep-Alive: timeout=3, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
...
--
This redirect loop runs until the browser interrupts it and displays
an error. My configuration follows:
--
listen http-vip00
bind192.168.1.1:80
bind127.0.0.1:81 accept-proxy
modehttp
option httplog
balance roundrobin
reqidel ^X-Forwarded-For:.*
acl is-ssl dst_port 81
reqadd X-Forwarded-Proto:\ https if is-ssl
reqadd X-Forwarded-Proto:\ http unless is-ssl
option forwardfor
server www1 10.19.78.18:80
--
I have not yet had a chance to see if the same thing happens with
previous versions of haproxy. Is this expected behavior or do I have
something misconfigured?