HAProxy: https redirect frontend not working

GCTWorks

I am having difficulty getting a frontend to redirect http to https. I have read the HAProxy documentation and many tutorials/forum posts on how to do this. My frontend should be working according to all of that, but it does not. My Frontend for HTTPS works just fine and works correctly with the backends.

Here is my redirect frontend:

I have ports open in the firewall.

The way I have been testing is that I use my phone, not on wifi, to ensure I am accessing the website externally. I use the chrome browser with an Incognito tab because the Chrome standard operation will switch to HTTPS from HTTP, but not in Incognito tabs. I have also tested using the duckduckgo browser. The https version of my site works fine, but the http version times out.

I am operating under the following assumption, which may be wrong. When HA proxy gets an http request, the http frontend should redirect to the https version. This will hit the HTTPS front end and work as if the https was used in the browser. In fact, the browser url should change to show that.

I have tried a redirect rule with the following as well with no success:
scheme https code 301
scheme https unless { ssl_fc }
scheme https code 301 unless { ssl_fc }

Any help would be appreciated.

viragomann

@gctworks
You have to connect the rule with an ACL.
Create an ACL which detects if the HTTPS protocol is used and state it in the rule.

Mine looks like this:

And the rule in which it is used:

GCTWorks

@viragomann Thank you for the help. Unfortunately, that had no effect.

Here is my frontend:

Any other ideas?

viragomann

@gctworks
What exactly do you get in the browser?

Are you sure, that http requests are hitting HAproxy?

Possibly there is still a NAT rule enabled, which forwards port 80?

GCTWorks

@viragomann I get ERR_CONNECTION_TIMED_OUT in the browser.

There are no port forward rules for port 80. Just the firewall rules I posted above.

When I enter http://www.<mydomain>.com in the browser and watch the firewall states, it is hitting the pass rule.

How can I tell if the http request is hitting HAProxy?

viragomann

@gctworks said in HAProxy: https redirect frontend not working:

I get ERR_CONNECTION_TIMED_OUT in the browser.

That's strange. The frontend looks ok.

If you open the dev tools in the browser and enter https://www.<mydomain>.com, don't you get a 302 at first?

And your site is accessible under https://www.<mydomain>.com?

If the port 80 rule is hit, the packets must go to HAproxy, if they are not forwarded.

Do you possibly have WebGUI redirect enabled (System > Advanced > Admin Access)?

What's in haproxy.cfg for the concerned frontend?

GCTWorks

@viragomann I will need some time to try out the dev tools in the browser because I can only easily test with my phone browser externally. I will try to test it later and get back to you.

As for your other questions:
Yes, the site is perfectly accessible under https://www.<mydomain>.com. It hits the other frontend to handle that and link to the appropriate backend.

The WebGUI redirect option was not checked. I checked it. There is no change in behavior.

haproxy.cgf

frontend http
	bind			my.ext.ip.add:80 name my.ext.ip.add:80   
	mode			http
	log			global
	option			http-keep-alive
	option			forwardfor
	acl https ssl_fc
	http-request set-header		X-Forwarded-Proto http if !https
	http-request set-header		X-Forwarded-Proto https if https
	timeout client		30000
	acl			noSSL	ssl_fc
	http-request redirect scheme https  if  !noSSL 

viragomann

@gctworks
That's quite similar to mine, and this works perfectly.

The only obvious difference is that I've both ports, 80 and 443 within a single frontend. Hence I've also stated a default backend, the SSL certificate and advanced SSL options.

Maybe try to state the default backend, even if it should not be used.

GCTWorks

@viragomann Oh man! So, I finally figured out the problem. You were correct from the beginning. In fact, nearly every scenario we tried works.

The problem had nothing to do with my setup. My ISP decided to up and block port 80 all of a sudden without telling me. I figured this out by going back to basics. I started up a simple webserver that listened to port 80 and just forwarded directly to that server. Worked on most every other port except 80. Spent 3 hours on the phone with my ISP to get this fixed.

All works now.

I really appreciate the help. I did learn a few things along the way, so not a total waste of time.