HAProxy Port 80 Only for Let's Encrypt



  • Hello,

    I setup HAProxy to manage traffic from one public IP to multiple server backends quite a while back…and it has been working excellent ever since.

    One thing that has become an issue is Let's Encrypt requests on port 80. This would be servers using http-01 method of authentication.

    I have HAProxy redirecting http requests to https port 443 using port 80. Only requests that are not matched in the front end port 80 rule are redirected.

    Is there something I can add to this frontend that would accommodate only requests that begin with http://url/.well-known/acme-challenge/*... to not be redirected?

    To get around this, I've just been giving my backend servers a direct public IP every time they won't renew behind the HAProxy.

    Here is my config:

    # Automaticaly generated, dont edit manually.
    # Generated on: 2018-04-04 19:46
    global
    	maxconn			100
    	log			/var/run/log	local0	info
    	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
    	gid			80
    	nbproc			1
    	nbthread			1
    	hard-stop-after		15m
    	chroot				/tmp/haproxy_chroot
    	daemon
    	server-state-file /tmp/haproxy_server_state
    
    listen HAProxyLocalStats
    	bind 127.0.0.1:444 name localstats
    	mode http
    	stats enable
    	stats admin if TRUE
    	stats uri /haproxy/haproxy_stats.php?haproxystats=1
    	timeout client 5000
    	timeout connect 5000
    	timeout server 5000
    
    frontend Frontend2-SNI
    	bind			public-ip:443 name public-ip:443   
    	mode			tcp
    	log			global
    	maxconn			20
    	timeout client		30000
    	tcp-request inspect-delay	5s
    	acl			ucrmsni1	req.ssl_sni -i ucrm.url.root
    	acl			unmssni1	req.ssl_sni -i unms.url.root
    	acl			nextcloudsni1	req.ssl_sni -i nextcloud.url.root
    	acl			portfoliosni1	req.ssl_sni -i url.root
    	acl			dsmsni1	req.ssl_sni -i dsm.url.root
    	tcp-request content accept if { req.ssl_hello_type 1 }
    
    	use_backend ucrm_https_ipv4  if  ucrmsni1 
    	use_backend unms_https_ipv4  if  unmssni1 
    	use_backend nextcloud_https_ipv4  if  nextcloudsni1 
    	use_backend portfolio_https_ipv4  if  portfoliosni1 
    	use_backend dsm_https_ipv4  if  dsmsni1 
    	default_backend Frontend3offload_https_ipv4
    
    frontend Frontend1-http
    	bind			public-ip:80 name public-ip:80   
    	mode			http
    	log			global
    	option			http-keep-alive
    	maxconn			20
    	timeout client		30000
    	acl			trechACL	hdr_sub(host) -i www.url2.root
    	acl			httpRedirectACL	hdr_sub(host) -i www.url2.root
    	http-request redirect scheme https  if  !httpRedirectACL 
    	use_backend trech_http_ipvANY  if  trechACL 
    
    backend ucrm_https_ipv4
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	option			httpchk OPTIONS / 
    	server			ucrm 10.0.0.5:443 check-ssl check inter 1000  weight 1 verify none 
    
    backend unms_https_ipv4
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    	option			httpchk HEAD / 
    	server			unms 10.0.0.13:443 check-ssl check inter 1000  weight 1 verify none 
    
    backend nextcloud_https_ipv4
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			nextcloud 10.0.0.14:443 check-ssl check inter 1000  weight 1 verify none 
    
    backend portfolio_https_ipv4
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			portfolio 10.0.0.45:443 check-ssl check inter 1000  weight 1 verify none 
    
    backend dsm_https_ipv4
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	source ipv4@ usesrc clientip
    
    backend Frontend3offload_https_ipv4
    	mode			tcp
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    
    backend trech_http_ipvANY
    	mode			http
    	log			global
    	timeout connect		30000
    	timeout server		30000
    	retries			3
    	option			httpchk OPTIONS / 
    	server			trech 10.0.0.50:80 check inter 1000  weight 1
    


  • Perhaps you could add a acl? 'Path starts with' : '/.well-known…..'