HAProxy redirecting http to https (ssl)

T

17

102

I'm using HAProxy for load balancing and only want my site to support https. Thus, I'd like to redirect all requests on port 80 to port 443.

How would I do this?

Edit: We'd like to redirect to the same url on https, preserving query params. Thus, http://foo.com/bar would redirect to https://foo.com/bar

Tucson answered 5/11, 2012 at 7:10 Comment(0)

A

151

I found this to be the biggest help:

Use HAProxy 1.5 or newer, and simply add the following line to the frontend config:

redirect scheme https code 301 if !{ ssl_fc }

Argentine answered 13/5, 2013 at 18:6 Comment(9)

To add to this, from User2966600's answer below, with 301 added, use this to redirect to https for only a specific domain: redirect scheme https code 301 if { hdr(Host) -i www.mydomain.com } !{ ssl_fc } – June 21/1, 2015 at 22:3

That worked. Though it doesn't work without 'code 301'. Thanks for update. – Numismatist 16/12, 2016 at 23:29

An equivalent syntax to the given answer would be like this: http-request redirect scheme https code 301 if !{ ssl_fc }. The documentation for http redirection in ALOHA HAProxy 7.0 even mention that "the syntax of both directives is the same, that said, redirect is now considered as legacy and configurations should move to the http-request redirect form". I infer, without being completely sure, that the same explanation applies to the newer releases of the open source version of HAProxy. – Pony 21/5, 2017 at 18:55

Thanks for your reply. Could you expand to explain where must we add this line? In the frontend / backend / default / global / .. ? – Celina 22/8, 2018 at 23:0

I usually place it inside the frontend, but redirects are just a header, so I'd expect a redirect can be triggered up until the response headers have been sent. I'd like to know if it can work in both locations, may have to give it a try. – Argentine 23/8, 2018 at 5:28

This is perfect – Cray 10/8, 2019 at 20:1

It's important to note this must be in a separate frontend block. Many example code online have both binds in the same block, and doing a redirect in a dual binded block will prevent haproxy from starting. – Pyknic 24/9, 2020 at 7:44

To comlement, the { ssl_fc } is a boolean that returns True if the connections was made over SSL. – Gittens 5/2, 2021 at 17:10

This (good) answer was burried under five zero scored answers - what's going on? – Moynahan 30/9, 2021 at 8:34

T

69

I don't have enough reputation to comment on a previous answer, so I'm posting a new answer to complement Jay Taylor's answer. Basically his answer will do the redirect, an implicit redirect though, meaning it will issue a 302 (temporary redirect), but since the question informs that the entire website will be served as https, then the appropriate redirect should be a 301 (permanent redirect).

redirect scheme https code 301 if !{ ssl_fc }

It seems a small change, but the impact might be huge depending on the website, with a permanent redirect we are informing the browser that it should no longer look for the http version from the start (avoiding future redirects) - a time saver for https sites. It also helps with SEO, but not dividing the juice of your links.

Talich answered 18/2, 2014 at 15:26 Comment(0)

P

42

To redirect all traffic:

redirect scheme https if !{ ssl_fc }

To redirect a single url (In case of multiple frontend/backend)

redirect scheme https if { hdr(Host) -i www.mydomain.com } !{ ssl_fc }

Polythene answered 7/11, 2013 at 21:45 Comment(2)

Thanks, the "only on a specific host" condition was just what i was looking for! – June 21/1, 2015 at 21:58

May you please show a practical example of the second option, please? – Gittens 20/8, 2020 at 23:55

B

21

The best guaranteed way to redirect everything http to https is:

frontend http-in
   bind *:80
   mode http
   redirect scheme https code 301

This is a little fancier using ‘code 301′, but might as well let the client know it’s permanent. The ‘mode http’ part is not essential with default configuration, but can’t hurt. If you have mode tcp in defaults section (like I did), then it’s necessary.

Bortz answered 12/1, 2017 at 0:34 Comment(1)

You might want to use http-request redirect scheme https code 301 instead because having the prefix http-request allows using log-format to affect how this is logged: docs.haproxy.org/2.4/… – Nucleo 30/1, 2023 at 13:3

W

15

According to http://parsnips.net/haproxy-http-to-https-redirect/ it should be as easy as configuring your haproxy.cfg to contain the follow.

#---------------------------------------------------------------------
# Redirect to secured
#---------------------------------------------------------------------
frontend unsecured *:80
    redirect location https://foo.bar.com

#---------------------------------------------------------------------
# frontend secured
#---------------------------------------------------------------------
frontend  secured *:443
   mode  tcp
   default_backend      app

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend app
    mode  tcp
    balance roundrobin
    server  app1 127.0.0.1:5001 check
    server  app2 127.0.0.1:5002 check
    server  app3 127.0.0.1:5003 check
    server  app4 127.0.0.1:5004 check

Wahlstrom answered 5/11, 2012 at 8:32 Comment(3)

So that would redirect everything to foo.bar.com. Ideally though, we'd like foo.bar.com/baz to redirect to foo.bar.com/baz. We also need query params. – Tucson 5/11, 2012 at 22:36

@JonChu raises a valid use-case, this is only a partial solution. – Argentine 13/5, 2013 at 18:9

Instead of using redirect location, try redirect prefix https: //foo.bar.com instead. It should help with the use-case Jon Chu mentions. – Rubstone 23/10, 2013 at 4:22

O

12

A slight variation of user2966600's solution...

To redirect all except a single URL (In case of multiple frontend/backend):

redirect scheme https if !{ hdr(Host) -i www.mydomain.com } !{ ssl_fc }

Oakie answered 22/4, 2016 at 13:10 Comment(0)

R

4

Like Jay Taylor said, HAProxy 1.5-dev has the redirect scheme configuration directive, which accomplishes exactly what you need.

However, if you are unable to use 1.5, and if you're up for compiling HAProxy from source, I backported the redirect scheme functionality so it works in 1.4. You can get the patch here: http://marc.info/?l=haproxy&m=138456233430692&w=2

Rhetorician answered 16/11, 2013 at 0:52 Comment(0)

W

3

redirect statement is legacy

use http-request redirect instead

acl http      ssl_fc,not
http-request redirect scheme https if http

Walley answered 7/5, 2020 at 20:5 Comment(0)

O

2

frontend unsecured *:80
    mode http
    redirect location https://foo.bar.com

Oaten answered 30/10, 2013 at 8:50 Comment(0)

R

1

In newer versions of HAProxy it is recommended to use

http-request redirect scheme https if !{ ssl_fc }

to redirect http traffic to https.

Retroact answered 7/10, 2019 at 15:31 Comment(0)

S

1

Can be done like this -

  frontend http-in
   bind *:80
   mode http
   redirect scheme https code 301

Any traffic hitting http will redirect to https

Subtenant answered 18/3, 2020 at 16:56 Comment(0)

B

1

  acl host-example hdr(host) -i www.example.com

  # for everything not https
  http-request redirect scheme https code 301 unless { ssl_fc }

  # for anything matching acl
  http-request redirect scheme https code 301 if host-example !{ ssl_fc }

Bendite answered 6/11, 2020 at 12:50 Comment(0)

C

0

If you want to rewrite the url, you have to change your site virtualhost adding this lines:

### Enabling mod_rewrite
Options FollowSymLinks
RewriteEngine on

### Rewrite http:// => https://
RewriteCond %{SERVER_PORT} 80$
RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,NC,L]

But, if you want to redirect all your requests on the port 80 to the port 443 of the web servers behind the proxy, you can try this example conf on your haproxy.cfg:

##########
# Global #
##########
global
    maxconn 100
    spread-checks 50
    daemon
    nbproc 4

############
# Defaults #
############
defaults
    maxconn 100
    log global
    mode http
    option dontlognull
    retries 3
    contimeout 60000
    clitimeout 60000
    srvtimeout 60000

#####################
# Frontend: HTTP-IN #
#####################
frontend http-in
    bind *:80
    option logasap
    option httplog
    option httpclose
    log global
    default_backend sslwebserver

#########################
# Backend: SSLWEBSERVER #
#########################
backend sslwebserver
    option httplog
    option forwardfor
    option abortonclose
    log global
    balance roundrobin
    # Server List
    server sslws01 webserver01:443 check
    server sslws02 webserver02:443 check
    server sslws03 webserver03:443 check

I hope this help you

Corps answered 5/11, 2012 at 8:31 Comment(0)

C

0

Why don't you use ACL's to distinguish traffic? on top of my head:

acl go_sslwebserver path bar
use_backend sslwebserver if go_sslwebserver

This goes on top of what Matthew Brown answered.

See the ha docs , search for things like hdr_dom and below to find more ACL options. There are plenty of choices.

Contrayerva answered 14/11, 2012 at 10:23 Comment(0)

S

0

Add this into the HAProxy frontend config:

acl http      ssl_fc,not
http-request redirect scheme https if http

HAProxy - Redirecting HTTP Requests

Selfregard answered 16/5, 2018 at 1:39 Comment(0)

C

0

Simply:

frontend incoming_requsts
        bind *:80
        bind *:443 ssl crt *path_to_cert*.**pem**
        **http-request redirect scheme https unless { ssl_fc }**
        default_backend k8s_nodes

Creepie answered 21/8, 2020 at 9:50 Comment(0)

L

0

If you want SSL Termination

# Redirects back on port 443
  frontend http_front
    bind *:80
    mode http
    redirect scheme https code 301 if !{ ssl_fc }
# Forward to backend with SSL         
  frontend myfrontend
    mode tcp
    bind *:443
    default_backend myservers
        
   backend myservers
    mode tcp
    server server1 <SERVER IP >

Lagging answered 17/6, 2023 at 17:0 Comment(0)

Recommended topics

Hot tags