redirect http to https and to full URL on HAProxy

moh10ly · Feb 17, 2022, 9:16 PM

Hi,
I am currently using HAProxy to publish few websites however, I am struggling with one website that only accepts connections if the URL is written in full.

URL is http://hostname.domain.com/cgi-bin/mps/index.cgi

I did http request redirect scheme to https and this works fine but I still have to type the entire URL in order to get to the website.

Is it possible to write a redirection rule in HAProxy that redirects http to https and redirects users to the full URL ?

for example user types hostname.domain.com in their browser and it takes them to
https://hostname.domain.com/cgi-bin/tps/index.cgi

Thank you

stephenw10 · Feb 18, 2022, 1:00 AM

Yes, in general, you can do that but can get ugly. If you overmatch you can end up redirecting to that page everytime and have users unable to reach any other page.
It's probably better to redirect on the backend if you can IMO.

Steve

moh10ly · Feb 18, 2022, 8:53 AM

@stephenw10 so in the Backend I would redirect the url and in front-end i'd do the http/https scheme change?

stephenw10 · Feb 18, 2022, 1:33 PM

Yes, that's what I would try first.

viragomann · Feb 18, 2022, 1:44 PM

@stephenw10
Hi,
I'm actually also looking for a possibility to redirect http to https on HAproxy and found this guide in the web for doing it in the frontend: https://techoverflow.net/2021/10/26/how-to-setup-pfsense-haproxy-http-to-https-redirect/

I configured this in a test environment for a web application and cannot see any issue.
So should there be any drawback with that?

stephenw10 · Feb 18, 2022, 2:51 PM

That's fine. Redirceting http to https is not normally an issue.
Where I have seen people run into problems is redirecting to a specific URL. It's easy to end up redirecting everything to that one page leaving users unable to reach other pages.
It's been a while since I last saw that though. The details are not fresh!

Steve

moh10ly · Feb 18, 2022, 6:28 PM

@stephenw10 I tried redirecting on the backend but it didn't work unfortunately. nothing happens when I type the fqdn as is in the browser.

I am using ACL host starts with .. FQDN
Actions : http-request redirect rule: code 301 location /cgi/tps/index.cgi.

it gave connection timeout and didn't change the scheme http/https

stephenw10 · Feb 18, 2022, 9:37 PM

Sorry I meant actually on the target server. Doing it anywhere in HAProxy is liable to get you redirecting too much, which is probably what's happening there.

Steve

viragomann · Feb 18, 2022, 11:09 PM

@stephenw10 said in redirect http to https and to full URL on HAProxy:

Sorry I meant actually on the target server.

That's what I did before setting up HAproxy. But in conjunction with HAproxy and SSL offloading that seems to be a bad idea.
HAproxy sends http requests to the backend and the backend instruct the browser to redirect it to https. Consequently that is repeating all the time and no page is loaded.

stephenw10 · Feb 19, 2022, 12:07 AM

Yeah, you wouldn't want to do that because the backend/frontend need to stay the same protocol.

But if you want to be able to enter fqdn.com and have that redirect to www.fqdn.com/home/somepage.htm you should be able to. And doing it there prevents HAProxy accidentally overmatching.

Steve