Apache Creating Non HTTPS Link When Using SSL Termination

@Magnetion wrote:

HAProxy noob here! Setup has been straight forward so far, but I have one issue I can not seem to solve. I am using SSL Termination with HAProxy and have that working. But, the Apache backends are creating non HTTPS links when serving pages, causing browsers to note something is up. I have thrown the sink at it so far, with no luck. Version is: HA-Proxy version 1.8.13-1ppa1~bionic 2018/08/01

Current config file:

global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
stats timeout 30s
user haproxy
group haproxy
daemon
ssl-server-verify none
tune.ssl.default-dh-param 2048

    # Default SSL material locations
    ca-base /etc/ssl/certs
    crt-base /etc/ssl/private

    # Default ciphers to use on SSL-enabled listening sockets.
    # For more information, see ciphers(1SSL). This list is from:
    #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
    # An alternative list with additional directives can be obtained from
    #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
    ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
    ssl-default-bind-options no-sslv3

defaults
log global
mode http
option httplog
option dontlognull
timeout connect 5000
timeout client 50000
timeout server 50000
errorfile 400 /etc/haproxy/errors/400.http
errorfile 403 /etc/haproxy/errors/403.http
errorfile 408 /etc/haproxy/errors/408.http
errorfile 500 /etc/haproxy/errors/500.http
errorfile 502 /etc/haproxy/errors/502.http
errorfile 503 /etc/haproxy/errors/503.http
errorfile 504 /etc/haproxy/errors/504.http

frontend www-http
bind *:80
bind *:443 ssl crt /etc/ssl/haproxy/XXXXXXX.pem

    option http-server-close
    http-request add-header X-Forwarded-Proto https
    http-request set-header X-SSL %[ssl_fc]
    http-response add-header Strict-Transport-Security max-age=31536000

    # Test URI to see if its a letsencrypt request
    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if letsencrypt-acl

    mode http
    default_backend apache

backend letsencrypt-backend
server letsencrypt 127.0.0.1:8888

backend apache
redirect scheme https if !{ ssl_fc }
mode http
balance roundrobin
option forwardfor
option httpclose
http-request add-header X-Forwarded-Proto https
http-request set-header X-SSL %[ssl_fc]
http-response add-header Strict-Transport-Security max-age=31536000

    server web1 cluster2-web-01:80
    server web2 cluster2-web-02:80

listen stats
bind :32700
stats enable
stats uri /
stats hide-version
stats auth XXX:XXX

Posts: 1

Participants: 1

Read full topic