Can't enforce HTTPS

Hi, I’m completely new to HAProxy so I apologize in advance if my questions are basic. I’ve been trying to enforce HTTP → HTTPS but it seems like HTTP traffic doesn’t even reach the web application.

Here is haproxy.cfg.

#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   http://www.haproxy.org/download/1.7/doc/configuration.txt
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #    local2.*                       /var/log/haproxy.log
    #
    # log         127.0.0.1 local2
    log		/dev/log local0

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

    # Include LetsEncrypt HTTP-01 validation method
    #lua-load /etc/haproxy/acme-http01-webroot.lua

    # set default parameters to the modern configuration from https://mozilla.github.io/server-side-tls/ssl-config-generator/
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-bind-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets
    ssl-default-server-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    ssl-default-server-options no-sslv3 no-tlsv10 no-tlsv11 no-tls-tickets

    tune.ssl.default-dh-param 4096
    ssl-dh-param-file /etc/pki/tls/dhparams.pem

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000

#---------------------------------------------------------------------
# main frontend which proxys to the backends
#---------------------------------------------------------------------
frontend main
#    bind *:443 ssl crt /etc/letsencrypt/live/roster.carpenoctem.co/haproxy.pem
#    bind *:443 ssl crt /etc/letsencrypt/live/carpenoctem.co/privkey.pem /etc/letsencrypt/live/cnto-arma.com/privkey.pem
    bind :80
    bind :443 ssl crt /etc/letsencrypt/live/carpenoctem.co/carpenoctem.co.pem crt /etc/letsencrypt/live/cnto-arma.com/cnto-arma.com.pem

    http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
    http-request set-header X-Forwarded-Proto https if { ssl_fc }
    http-request redirect scheme https code 301 unless { ssl_fc }
    http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"

#    acl url_acme_http01 path_beg /.well-known/acme-challenge/
#    http-request use-service lua.acme-http01 if METH_GET url_acme_http01

    acl host_roster hdr_dom(host) roster.carpenoctem.co
    acl host_roster_cnto hdr_dom(host) roster.cnto.co
    use_backend roster if host_roster or host_roster_cnto

    acl host_priv hdr_dom(host) priv.carpenoctem.co
    use_backend priv if host_priv 

    acl host_grafana hdr_dom(host) stats.carpenoctem.co
    use_backend grafana if host_grafana

    acl host_wordpress hdr_dom(host) cnto-arma.com
    use_backend wordpress if host_wordpress

    acl host_rooster hdr_dom(host) rooster.carpenoctem.co
    use_backend rooster if host_rooster

    default_backend             default

#---------------------------------------------------------------------
# backends
#---------------------------------------------------------------------

backend default
    server      local_httpd 127.0.0.1:54268

backend roster
    server      local_httpd 127.0.0.1:54268

    redirect scheme https code 301 if !{ ssl_fc }
    # 16000000 seconds: a bit more than 6 months
    http-response set-header Strict-Transport-Security "max-age=16000000; includeSubDomains; preload;"

backend priv
    server      priv 172.16.0.154:80

backend grafana
    server	local_httpd 127.0.0.1:3000

backend wordpress
    server	local_httpd 127.0.0.1:58080

backend rooster
    server      local_httpd 127.0.0.1:8902

https (https://rooster.carpenoctem.co) requests work just fine, but http://rooster.carpenoctem.co go to complete timeout in the browser. This should hit ˙backend rooster˙.

/var/log/haproxy.log doesn’t show any log entries if I try to use http.

Any help is appreciated!

1 post - 1 participant

Read full topic