HAProxy redirects http to https (ssl)

Question

HAProxy redirects http to https (ssl)

I use HAProxy for load balancing and want my site to support https. Thus, I would like to redirect all requests to port 80 to port 443.

How should I do it?

Edit: we would like to redirect to the same url on https while maintaining the request parameters. This way, http://foo.com/bar will be redirected to https://foo.com/bar

+88

redirect http ssl https haproxy

Jon Chu Nov 05 '12 at 7:10

source share

10 answers

Jay Taylor · Answer 1 · 2013-05-13 18:06

I found this to be the biggest help :

Use HAProxy 1.5-dev13 or later and just add the following line to your frontend configuration:

redirect scheme https code 301 if !{ ssl_fc }

Marcos Abreu · Answer 2 · 2014-02-18 15:26

I do not have enough reputation to comment on the previous answer, so I am posting a new answer to complement Jay Taylor's answer. Basically his answer will be a redirect, an implied redirect, although it means that it gives 302 (temporary redirect), but since the question informs that the entire website will be served as https, the corresponding redirect should be 301 (constant redirect )

 redirect scheme https code 301 if !{ ssl_fc }

It seems to be a small change, but the impact can be huge depending on the website, with constant redirection we tell the browser that it will no longer search for the http version from the very beginning (avoiding future redirects) - time saver for https sites. It also helps with SEO, but does not share the juice of your links.

user2966600 · Answer 3 · 2013-11-07 21:45

To redirect all traffic:

redirect scheme https if !{ ssl_fc }

To redirect a single url (in case of multiple interface / backend)

redirect scheme https if { hdr(Host) -i www.mydomain.com } !{ ssl_fc }

Maitreya · Answer 4 · 2017-01-12 00:34

The best guaranteed way to redirect all http to https:

 frontend http-in bind *:80 mode http redirect scheme https code 301

This is a little more interesting using the "code 301", but may also let the client know its constant. "The http part of the mode is not essential with the default configuration, but it cannot be damaged. If you have mode tcp in the default section (like me), then this is necessary.

Matthew Brown · Answer 5 · 2012-11-05 08:32

According to http://parsnips.net/haproxy-http-to-https-redirect/ , it should be as simple as setting up haproxy.cfg to contain the following.

 #--------------------------------------------------------------------- # Redirect to secured #--------------------------------------------------------------------- frontend unsecured *:80 redirect location https://foo.bar.com #--------------------------------------------------------------------- # frontend secured #--------------------------------------------------------------------- frontend secured *:443 mode tcp default_backend app #--------------------------------------------------------------------- # round robin balancing between the various backends #--------------------------------------------------------------------- backend app mode tcp balance roundrobin server app1 127.0.0.1:5001 check server app2 127.0.0.1:5002 check server app3 127.0.0.1:5003 check server app4 127.0.0.1:5004 check

Josh Currier · Answer 6 · 2016-04-22 13:10

A small change in user solutions2966600 ...

To redirect all but one URL (in case of multiple interface / backend):

 redirect scheme https if !{ hdr(Host) -i www.mydomain.com } !{ ssl_fc }

rusty · Answer 7 · 2013-11-16 00:52

As Jay Taylor said, HAProxy 1.5-dev has a redirect scheme configuration directive that does exactly what you need.

However, if you cannot use 1.5, and if you want to compile HAProxy from the source code, I supported the redirect scheme functionality, so it works in version 1.4. Here you can get the patch: http://marc.info/?l=haproxy&m=138456233430692&w=2

sanyi · Answer 8 · 2013-10-30 08:50

 frontend unsecured *:80 mode http redirect location https://foo.bar.com

Flat · Answer 9 · 2012-11-05 08:31

If you want to rewrite the URL, you need to change your virtual host of the site by adding the following lines:

 ### Enabling mod_rewrite Options FollowSymLinks RewriteEngine on ### Rewrite http:// => https:// RewriteCond %{SERVER_PORT} 80$ RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,NC,L]

But if you want to redirect all your requests to port 80 to port 443 of the web servers behind the proxy server, you can try this conf example on your haproxy.cfg:

 ########## # Global # ########## global maxconn 100 spread-checks 50 daemon nbproc 4 ############ # Defaults # ############ defaults maxconn 100 log global mode http option dontlognull retries 3 contimeout 60000 clitimeout 60000 srvtimeout 60000 ##################### # Frontend: HTTP-IN # ##################### frontend http-in bind *:80 option logasap option httplog option httpclose log global default_backend sslwebserver ######################### # Backend: SSLWEBSERVER # ######################### backend sslwebserver option httplog option forwardfor option abortonclose log global balance roundrobin # Server List server sslws01 webserver01:443 check server sslws02 webserver02:443 check server sslws03 webserver03:443 check

I hope this helps you

Glenn Plas · Answer 10 · 2012-11-14 10:23

Why don't you use ACLs to distinguish between traffic? on my head:

 acl go_sslwebserver path bar use_backend sslwebserver if go_sslwebserver

This refers to what Matthew Brown answered.

See ha docs , look for things like hdr_dom and below to find additional ACL options. There are many options.

HAProxy redirects http to https (ssl)

More articles: