HAProxy (devel) Package - Redirect to https

badger

Hi there,

is there any chance to force redirecting connections to https like you would with

"redirect scheme https code 301 if !{ ssl_fc }" ??

How could you accomplish this?

thanks a lot =)

PiBa

hi badger,

For the moment you will have to write this in the "Advanced pass thru" section of a frontend. Where you could also add a second bind line for listening on :80 so you only need only the https :443 frontend configured in the webgui..

Greets PiBa-NL

nikolaii

Hello, I am facing the same issue, and even with the "redirect" option it doesn't seem to redirect at all. So I guess I must miss something, if someone could tell me what?

Here is the frontend configuration I am using:

frontend ha-ppsrvprx
        bind                    151.80.183.233:80 name 151.80.183.233:80
        bind                    151.80.183.233:443 name 151.80.183.233:443
        redirect scheme https if !{ ssl_fc }
        mode                    tcp
        log                     global
        option                  tcplog
        maxconn                 64
        timeout client          50000
        default_backend         pool-SRV_tcp_ipvANY

But when I browse to the website on HTTP, there is no redirection, just a reset.

Here is the backend configuration:

backend pool-SRV_tcp_ipvANY
        mode                    tcp
        balance                 roundrobin
        timeout connect         5000
        timeout server          50000
        retries                 3
        server                  server1 172.16.0.1:443 check-ssl check inter 1000  weight 10 verify none
        server                  server1 172.16.0.2:443 check-ssl check inter 1000  weight 20 verify none

Nicolas

PiBa

If you want to recieve both :80 and :443 on one frontend, then ssl-offloading is required on the 443 bind. For that to work check the checkbox behind the bind listen definition. And configure the appropriate offloading certificates in haproxy. Also setting the mode to http is needed for haproxy to 'understand' the http traffic.

If you don't want to use offloading, then configuring a second 'http' fronted is required.

nikolaii

All right, that make sense, thank you.

So if I want to setup a permanent redirect on the firewall, but not using SSL offloading (say I want to manage the SSL part on my backend proxies), I need to:

1/ Setup two frontends, on for port 80 and the other for port 443
2/ Configure both as "http/https(offloading)" type
3/ Uncheck the "SSL offloading" box on the external address line
4/ Put an advanced pass thru configuration on the port 80 frontend which says```
redirect scheme https code 301 if !{ ssl_fc }

Is that correct?

PiBa

If you don't want to use offloading for https then don't select it, and do not select 'https(offloading)'. So keep it on what you probably using currently: 'https(tcp)'.

The :80 frontend needs to be set to 'http'. Where you can indeed add the redirect in the advanced pass thru.

nikolaii

Yes, it works indeed, thank you.

The only thing which is missing now is the IP address of the client.
I had it with the offloading setup, but now I guess since this is a TCP setup it's gone.

Is there any way to get it on the backend servers (maybe with RPAF on Debian, it's an apache module)?

PiBa

Without offloading its not possible to read/modify the http traffic, so adding a x-forwarded-for header is not possible.

There are two other options:
1 - send-proxy
2 - source 0.0.0.0 usesrc clientip

1 you could add to the advanced field in the server definitions (must configure it on the webserver to expect this protocol change..)

2 in the backend you can select the checkbox "Transparent ClientIP", this comes however with several issues to take into consideration:
-webserver gateway must be pointing back to pfsense
-contacting the server directly will not work
-kernel module ipfw will be loaded

nikolaii

All right, I'll try the first option to see if it suits my needs :)

Thank you for your help.