HAProxy unable to redirect to HTTPS when terminating

@stoinov wrote:

This is a duplicate of my SO question. You can answer there too, to get the reputation. Hope this doesn’t violate some rule.

I wanted to setup HAProxy for two servers - one with passthroug one with termination. I was able to do it with no previous experience of HAProxy, but I am unable to make HTTPS redirect for the terminating one - I get 502. Here is the config:

#Upgrades the passthrough and check for Let's Encrypt
frontend http_front
    bind :80
    option forwardfor
    acl host_s1 hdr(host) -i s1.example.com
    acl path_le path_beg -i /.well-known/acme-challenge/
    redirect scheme https code 301 if host_s1 !path_le
    use_backend acmetool if path_le
    default_backend http-back

#Handles the passthrough and loopsback to itself for other domains
frontend passthrough
    mode tcp
    bind :443
    tcp-request inspect-delay 5s
    tcp-request content accept if { req_ssl_hello_type 1 }
    use_backend service1 if { req_ssl_sni -i s1.example.com }
    default_backend https-back

#Loopback to handle the termination domains
frontend https-front
    bind 127.0.0.1:8443 ssl crt s2.example.com.pem
    option forwardfor
    reqdel X-Forwarded-Proto
    reqadd X-Forwarded-Proto:\ https if { ssl_fc }
    use_backend service2 if { req_ssl_sni -i s2.example.com }
    default_backend service2

#returns for second pass from HTTP
backend http-back
    server https-front 127.0.0.1:8443

#returns for second pass from HTTPS
backend https-back
    mode tcp
    server https-front 127.0.0.1:8443

backend service1
    mode tcp
    server service1 127.0.0.1:8888

backend service2
    #redirect scheme https code 301 if !{ ssl_fc }
    server server2 server2:80

backend acmetool
    server acmetool 127.0.0.1:81

Not sure if I need those reqdel/reqadd in https-front. Or if I have to do tcp-request again on the second pass for HTTPS.

Uncommenting the redirect on the backend does not help either.

I also had send-proxy-v2 to the initial backends with no change in the result. I am not experienced enough in either Linux or HAproxy to know hoe to use sockets, so I replaced them with ports for the loop-back. Would love to know if there is any difference in efficiency between them.

Posts: 1

Participants: 1

Read full topic