HAProxy Port 80 Only for Let's Encrypt

Brailyn

Hello,

I setup HAProxy to manage traffic from one public IP to multiple server backends quite a while back…and it has been working excellent ever since.

One thing that has become an issue is Let's Encrypt requests on port 80. This would be servers using http-01 method of authentication.

I have HAProxy redirecting http requests to https port 443 using port 80. Only requests that are not matched in the front end port 80 rule are redirected.

Is there something I can add to this frontend that would accommodate only requests that begin with http://url/.well-known/acme-challenge/*... to not be redirected?

To get around this, I've just been giving my backend servers a direct public IP every time they won't renew behind the HAProxy.

Here is my config:

# Automaticaly generated, dont edit manually.
# Generated on: 2018-04-04 19:46
global
	maxconn			100
	log			/var/run/log	local0	info
	stats socket /tmp/haproxy.socket level admin  expose-fd listeners
	gid			80
	nbproc			1
	nbthread			1
	hard-stop-after		15m
	chroot				/tmp/haproxy_chroot
	daemon
	server-state-file /tmp/haproxy_server_state

listen HAProxyLocalStats
	bind 127.0.0.1:444 name localstats
	mode http
	stats enable
	stats admin if TRUE
	stats uri /haproxy/haproxy_stats.php?haproxystats=1
	timeout client 5000
	timeout connect 5000
	timeout server 5000

frontend Frontend2-SNI
	bind			public-ip:443 name public-ip:443   
	mode			tcp
	log			global
	maxconn			20
	timeout client		30000
	tcp-request inspect-delay	5s
	acl			ucrmsni1	req.ssl_sni -i ucrm.url.root
	acl			unmssni1	req.ssl_sni -i unms.url.root
	acl			nextcloudsni1	req.ssl_sni -i nextcloud.url.root
	acl			portfoliosni1	req.ssl_sni -i url.root
	acl			dsmsni1	req.ssl_sni -i dsm.url.root
	tcp-request content accept if { req.ssl_hello_type 1 }

	use_backend ucrm_https_ipv4  if  ucrmsni1 
	use_backend unms_https_ipv4  if  unmssni1 
	use_backend nextcloud_https_ipv4  if  nextcloudsni1 
	use_backend portfolio_https_ipv4  if  portfoliosni1 
	use_backend dsm_https_ipv4  if  dsmsni1 
	default_backend Frontend3offload_https_ipv4

frontend Frontend1-http
	bind			public-ip:80 name public-ip:80   
	mode			http
	log			global
	option			http-keep-alive
	maxconn			20
	timeout client		30000
	acl			trechACL	hdr_sub(host) -i www.url2.root
	acl			httpRedirectACL	hdr_sub(host) -i www.url2.root
	http-request redirect scheme https  if  !httpRedirectACL 
	use_backend trech_http_ipvANY  if  trechACL 

backend ucrm_https_ipv4
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk OPTIONS / 
	server			ucrm 10.0.0.5:443 check-ssl check inter 1000  weight 1 verify none 

backend unms_https_ipv4
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip
	option			httpchk HEAD / 
	server			unms 10.0.0.13:443 check-ssl check inter 1000  weight 1 verify none 

backend nextcloud_https_ipv4
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			nextcloud 10.0.0.14:443 check-ssl check inter 1000  weight 1 verify none 

backend portfolio_https_ipv4
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			portfolio 10.0.0.45:443 check-ssl check inter 1000  weight 1 verify none 

backend dsm_https_ipv4
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	source ipv4@ usesrc clientip

backend Frontend3offload_https_ipv4
	mode			tcp
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3

backend trech_http_ipvANY
	mode			http
	log			global
	timeout connect		30000
	timeout server		30000
	retries			3
	option			httpchk OPTIONS / 
	server			trech 10.0.0.50:80 check inter 1000  weight 1

PiBa

Perhaps you could add a acl? 'Path starts with' : '/.well-known…..'