HAProxy (devel) Package - Redirect to https



  • Hi there,

    is there any chance to force redirecting connections to https like you would with

    "redirect scheme https code 301 if !{ ssl_fc }" ??

    How could you accomplish this?

    thanks a lot =)



  • hi badger,

    For the moment you will have to write this in the "Advanced pass thru" section of a frontend. Where you could also add a second bind line for listening on :80 so you only need only the https :443 frontend configured in the webgui..

    Greets PiBa-NL



  • Hello, I am facing the same issue, and even with the "redirect" option it doesn't seem to redirect at all. So I guess I must miss something, if someone could tell me what?

    Here is the frontend configuration I am using:

    
    frontend ha-ppsrvprx
            bind                    151.80.183.233:80 name 151.80.183.233:80
            bind                    151.80.183.233:443 name 151.80.183.233:443
            redirect scheme https if !{ ssl_fc }
            mode                    tcp
            log                     global
            option                  tcplog
            maxconn                 64
            timeout client          50000
            default_backend         pool-SRV_tcp_ipvANY
    
    

    But when I browse to the website on HTTP, there is no redirection, just a reset.

    Here is the backend configuration:

    
    backend pool-SRV_tcp_ipvANY
            mode                    tcp
            balance                 roundrobin
            timeout connect         5000
            timeout server          50000
            retries                 3
            server                  server1 172.16.0.1:443 check-ssl check inter 1000  weight 10 verify none
            server                  server1 172.16.0.2:443 check-ssl check inter 1000  weight 20 verify none
    
    

    Nicolas



  • If you want to recieve both :80 and :443 on one frontend, then ssl-offloading is required on the 443 bind. For that to work check the checkbox behind the bind listen definition. And configure the appropriate offloading certificates in haproxy. Also setting the mode to http is needed for haproxy to 'understand' the http traffic.

    If you don't want to use offloading, then configuring a second 'http' fronted is required.



  • All right, that make sense, thank you.

    So if I want to setup a permanent redirect on the firewall, but not using SSL offloading (say I want to manage the SSL part on my backend proxies), I need to:

    1/ Setup two frontends, on for port 80 and the other for port 443
    2/ Configure both as "http/https(offloading)" type
    3/ Uncheck the "SSL offloading" box on the external address line
    4/ Put an advanced pass thru configuration on the port 80 frontend which says```
    redirect scheme https code 301 if !{ ssl_fc }

    
    Is that correct?


  • If you don't want to use offloading for https then don't select it, and do not select 'https(offloading)'. So keep it on what you probably using currently: 'https(tcp)'.

    The :80 frontend needs to be set to 'http'. Where you can indeed add the redirect in the advanced pass thru.



  • Yes, it works indeed, thank you.

    The only thing which is missing now is the IP address of the client.
    I had it with the offloading setup, but now I guess since this is a TCP setup it's gone.

    Is there any way to get it on the backend servers (maybe with RPAF on Debian, it's an apache module)?



  • Without offloading its not possible to read/modify the http traffic, so adding a x-forwarded-for header is not possible.

    There are two other options:
    1 - send-proxy
    2 - source 0.0.0.0 usesrc clientip

    1 you could add to the advanced field in the server definitions (must configure it on the webserver to expect this protocol change..)

    2 in the backend you can select the checkbox "Transparent ClientIP", this comes however with several issues to take into consideration:
    -webserver gateway must be pointing back to pfsense
    -contacting the server directly will not work
    -kernel module ipfw will be loaded



  • All right, I'll try the first option to see if it suits my needs :)

    Thank you for your help.


Log in to reply