Haproxy 1.4 content isn't secure

  • dear all,

    i have installed haproxy 1.4 in front of 2 web servers for load balancing. In order to do that and since i use ssl, i have configured apache to accept the requests on port 443 and redirect them to another port (8080) where the haproxy is waiting. then haproxy redirects the connection to the app servers. this setup seems to work but when i open the web page of the load balancer there is a working about 'mixed content', and that there is unsecure http content transferred along with https and only when i click on 'disable protection on this page' i am able to see the full content.

    here is my config ->
    <virtualhost *:443="">SSLEngine on
    SSLProxyEngine on
    RewriteEngine On
    SSLCertificateFile /home/hap/certif.cer
    SSLCertificateKeyFile /home/hap/certif.key
    SSLCertificateChainFile /home/hap/certif.crt
    ProxyPass /
    ProxyPassReverse /
    <proxy http:="""" *="">Allow from all</proxy></virtualhost>

    maxconn 4096
    user haproxy
    group haproxy
    spread-checks 5 # 5%

    uncomment this to get debug output


    log global
    mode http

    option httplog

    option dontlognull
    retries 3
    option redispatch
    maxconn 2000
    contimeout 5000
    clitimeout 50000
    srvtimeout 50000

    frontend web
    bind *:8080
    mode http
    default_backend app1

    backend app1
    mode http
    option httpclose
    balance roundrobin
    cookie SRVID insert indirect nocache
    option nolinger
    option httpchk GET / HTTP/1.0\r\nUser-Agent:\ HAProxy

    server app1_1 cookie app1_1 check inter 10s rise 2 fall 2
    server app1_2 cookie app1_2 check inter 10s rise 2 fall 2

    could anyone provide any input on why this is happening and how it could be resolved?

    thank you in advance

  • Are there img, link, or script tags on your content which contain "http://"?  If so, that's the issue.

  • Indeed like Jason writes its likely the page contains contents that it tries to read contents from http://something..  you might also want to give haproxy-devel a try as it natively supports ssl. And also as a possible workaround if the webserver url generation cannot be changed can have the backend connection created over ssl to the webservers.

Log in to reply