HAProxy (devel) Package - Redirect to https
-
Hi there,
is there any chance to force redirecting connections to https like you would with
"redirect scheme https code 301 if !{ ssl_fc }" ??
How could you accomplish this?
thanks a lot =)
-
hi badger,
For the moment you will have to write this in the "Advanced pass thru" section of a frontend. Where you could also add a second bind line for listening on :80 so you only need only the https :443 frontend configured in the webgui..
Greets PiBa-NL
-
Hello, I am facing the same issue, and even with the "redirect" option it doesn't seem to redirect at all. So I guess I must miss something, if someone could tell me what?
Here is the frontend configuration I am using:
frontend ha-ppsrvprx bind 151.80.183.233:80 name 151.80.183.233:80 bind 151.80.183.233:443 name 151.80.183.233:443 redirect scheme https if !{ ssl_fc } mode tcp log global option tcplog maxconn 64 timeout client 50000 default_backend pool-SRV_tcp_ipvANY
But when I browse to the website on HTTP, there is no redirection, just a reset.
Here is the backend configuration:
backend pool-SRV_tcp_ipvANY mode tcp balance roundrobin timeout connect 5000 timeout server 50000 retries 3 server server1 172.16.0.1:443 check-ssl check inter 1000 weight 10 verify none server server1 172.16.0.2:443 check-ssl check inter 1000 weight 20 verify none
Nicolas
-
If you want to recieve both :80 and :443 on one frontend, then ssl-offloading is required on the 443 bind. For that to work check the checkbox behind the bind listen definition. And configure the appropriate offloading certificates in haproxy. Also setting the mode to http is needed for haproxy to 'understand' the http traffic.
If you don't want to use offloading, then configuring a second 'http' fronted is required.
-
All right, that make sense, thank you.
So if I want to setup a permanent redirect on the firewall, but not using SSL offloading (say I want to manage the SSL part on my backend proxies), I need to:
1/ Setup two frontends, on for port 80 and the other for port 443
2/ Configure both as "http/https(offloading)" type
3/ Uncheck the "SSL offloading" box on the external address line
4/ Put an advanced pass thru configuration on the port 80 frontend which says```
redirect scheme https code 301 if !{ ssl_fc }Is that correct?
-
If you don't want to use offloading for https then don't select it, and do not select 'https(offloading)'. So keep it on what you probably using currently: 'https(tcp)'.
The :80 frontend needs to be set to 'http'. Where you can indeed add the redirect in the advanced pass thru.
-
Yes, it works indeed, thank you.
The only thing which is missing now is the IP address of the client.
I had it with the offloading setup, but now I guess since this is a TCP setup it's gone.Is there any way to get it on the backend servers (maybe with RPAF on Debian, it's an apache module)?
-
Without offloading its not possible to read/modify the http traffic, so adding a x-forwarded-for header is not possible.
There are two other options:
1 - send-proxy
2 - source 0.0.0.0 usesrc clientip1 you could add to the advanced field in the server definitions (must configure it on the webserver to expect this protocol change..)
2 in the backend you can select the checkbox "Transparent ClientIP", this comes however with several issues to take into consideration:
-webserver gateway must be pointing back to pfsense
-contacting the server directly will not work
-kernel module ipfw will be loaded -
All right, I'll try the first option to see if it suits my needs :)
Thank you for your help.