HAProxy redirects when it should not

@tamal wrote:

Hi,
I have the following haproxy config where I don’t want to redirect from http to https for /.well-known/acme-challenge/. But for all other paths I want to redirect from http to https. But it seems that it is getting redirected for all paths including /.well-known/acme-challenge/ . Can you help me understand what I am doing wrong here?

haproxy.cfg:
----
# HAProxy configuration generated by https://github.com/appscode/voyager
# DO NOT EDIT!
global
  daemon
  stats socket /tmp/haproxy
  server-state-file global
  server-state-base /var/state/haproxy/
  # log using a syslog socket
  log /dev/log local0 info
  log /dev/log local0 notice
  tune.ssl.default-dh-param 2048
  ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
defaults
  log global
  # https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20abortonclose
  # https://github.com/appscode/voyager/pull/403
  option dontlognull
  option http-server-close
  # Timeout values
  timeout client 50s
  timeout client-fin 50s
  timeout connect 50s
  timeout server 20m
  timeout tunnel 50s
  # Configure error files
  # default traffic mode is http
  # mode is overwritten in case of tcp services
  mode http
frontend http-0_0_0_0-80
  bind *:80
  mode http
  option httplog
  option forwardfor
  acl is_proxy_https hdr(X-Forwarded-Proto) https
  acl acl_:.well-known-acme-challenge path_beg /.well-known/acme-challenge/
  use_backend voyager-operator.voyager:56791 if  acl_:.well-known-acme-challenge
  acl acl_search-rpc-kube.example.com hdr(host) -i search-rpc-kube.example.com
  acl acl_search-rpc-kube.example.com hdr(host) -i search-rpc-kube.example.com:80
  use_backend production-rpc.production-rpc:80 if acl_search-rpc-kube.example.com
  acl acl_nextcloud.example.com hdr(host) -i nextcloud.example.com
  acl acl_nextcloud.example.com hdr(host) -i nextcloud.example.com:80
  use_backend nextcloud.nextcloud:80 if acl_nextcloud.example.com
  acl acl_internal-services.example.com hdr(host) -i internal-services.example.com
  acl acl_internal-services.example.com hdr(host) -i internal-services.example.com:80
  use_backend graphie-to-png.graphie-to-png:8765-ebc10c77500be47b8c6f25c6a9db26f6 if acl_internal-services.example.com
  acl acl_graphie-to-png.kasandbox.org hdr(host) -i graphie-to-png.kasandbox.org
  acl acl_graphie-to-png.kasandbox.org hdr(host) -i graphie-to-png.kasandbox.org:80
  use_backend graphie-to-png.graphie-to-png:8765-16e12e4030e576bb5d488b97792cecc9 if acl_graphie-to-png.kasandbox.org
  acl acl_error-monitor-db.example.com hdr(host) -i error-monitor-db.example.com
  acl acl_error-monitor-db.example.com hdr(host) -i error-monitor-db.example.com:80
  redirect scheme https code 308 if ! is_proxy_https acl_error-monitor-db.example.com
  acl acl_crowdin-gcs-sync.example.com hdr(host) -i crowdin-gcs-sync.example.com
  acl acl_crowdin-gcs-sync.example.com hdr(host) -i crowdin-gcs-sync.example.com:80
  redirect scheme https code 308 if ! is_proxy_https acl_crowdin-gcs-sync.example.com
  acl acl_buildmaster.example.com hdr(host) -i buildmaster.example.com
  acl acl_buildmaster.example.com hdr(host) -i buildmaster.example.com:80
  redirect scheme https code 308 if ! is_proxy_https acl_buildmaster.example.com
  acl acl_alerta.example.com hdr(host) -i alerta.example.com
  acl acl_alerta.example.com hdr(host) -i alerta.example.com:80
  redirect scheme https code 308 if ! is_proxy_https acl_alerta.example.com```
backend voyager-operator.voyager:56791
  server pod-voyager-operator-5d4cc8948f-qffjc 10.4.0.126:56791
backend production-rpc.production-rpc:80
  server pod-production-rpc-b584c5769-sldgc 10.128.0.8:80
backend nextcloud.nextcloud:80
  server pod-nextcloud-6c4f588755-czfxg 10.128.0.3:80
backend graphie-to-png.graphie-to-png:8765-ebc10c77500be47b8c6f25c6a9db26f6
  server pod-graphie-to-png-76dfbd5549-27htk 10.128.0.7:8765
backend graphie-to-png.graphie-to-png:8765-16e12e4030e576bb5d488b97792cecc9
  server pod-graphie-to-png-76dfbd5549-27htk 10.128.0.7:8765
frontend http-0_0_0_0-443
  bind *:443  ssl no-sslv3 no-tlsv10 no-tls-tickets crt /etc/ssl/private/haproxy/tls/  alpn http/1.1
  # Mark all cookies as secure
  rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure
  # Add the HSTS header with a 6 month default max-age
  http-response set-header Strict-Transport-Security max-age=15768000
  mode http
  option httplog
  option forwardfor
  acl is_proxy_https hdr(X-Forwarded-Proto) https
  acl acl_error-monitor-db.example.com hdr(host) -i error-monitor-db.example.com
  acl acl_error-monitor-db.example.com hdr(host) -i error-monitor-db.example.com:443
  use_backend error-monitor-db.error-monitor-db:9340 if acl_error-monitor-db.example.com
  acl acl_crowdin-gcs-sync.example.com hdr(host) -i crowdin-gcs-sync.example.com
  acl acl_crowdin-gcs-sync.example.com hdr(host) -i crowdin-gcs-sync.example.com:443
  use_backend crowdin-gcs-sync.crowdin-gcs-sync:9999 if acl_crowdin-gcs-sync.example.com
  acl acl_buildmaster.example.com hdr(host) -i buildmaster.example.com
  acl acl_buildmaster.example.com hdr(host) -i buildmaster.example.com:443
  use_backend buildmaster.buildmaster:80 if acl_buildmaster.example.com
  acl acl_alerta.example.com hdr(host) -i alerta.example.com
  acl acl_alerta.example.com hdr(host) -i alerta.example.com:443
  use_backend alerta.alerta:8080 if acl_alerta.example.com
backend error-monitor-db.error-monitor-db:9340
  server pod-error-monitor-db-cb7bbcdb8-4sdrs 10.128.0.3:9340
backend crowdin-gcs-sync.crowdin-gcs-sync:9999
  server pod-crowdin-gcs-sync-5b684f687-xv87k 10.128.0.4:9999
backend buildmaster.buildmaster:80
  server pod-buildmaster-cb8cbc586-mf9hm 10.128.0.2:80
backend alerta.alerta:8080
  server pod-alerta-fbbdbbc9c-b5rh4 10.128.0.7:8080
frontend tcp-0_0_0_0-3322
  bind *:3322
  mode tcp
  default_backend scp.scp:3322
backend scp.scp:3322
  mode tcp
  server pod-scp-9d464fd77-pcbwj 10.128.0.7:3322

~ $ curl -vv http://alerta.example.com/.well-known/acme-challenge/4QN4jFM7lrp1AxdX7DOapUmleelvzeZJKA5fYCW_kA8
*   Trying 35.184.192.240...
* TCP_NODELAY set
* Connected to alerta.example.com (35.184.192.240) port 80 (#0)
> GET /.well-known/acme-challenge/4QN4jFM7lrp1AxdX7DOapUmleelvzeZJKA5fYCW_kA8 HTTP/1.1
> Host: alerta.example.com
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 308 Permanent Redirect
< Content-length: 0
< Location: https://alerta.example.com/.well-known/acme-challenge/4QN4jFM7lrp1AxdX7DOapUmleelvzeZJKA5fYCW_kA8
< 
* Connection #0 to host alerta.example.com left intact

Posts: 1

Participants: 1

Read full topic