I'm using HAProxy for load balancing and only want my site to support https. Thus, I'd like to redirect all requests on port 80 to port 443.
How would I do this?
Edit: We'd like to redirect to the same url on https, preserving query params. Thus, http://foo.com/bar would redirect to https://foo.com/bar
I found this to be the biggest help:
Use HAProxy 1.5-dev13 or newer, and simply add the following line to the frontend config:
redirect scheme https code 301 if !{ ssl_fc } I don't have enough reputation to comment on a previous answer, so I'm posting a new answer to complement Jay Taylor's answer. Basically his answer will do the redirect, an implicit redirect though, meaning it will issue a 302 (temporary redirect), but since the question informs that the entire website will be served as https, then the appropriate redirect should be a 301 (permanent redirect).
redirect scheme https code 301 if !{ ssl_fc } It seems a small change, but the impact might be huge depending on the website, with a permanent redirect we are informing the browser that it should no longer look for the http version from the start (avoiding future redirects) - a time saver for https sites. It also helps with SEO, but not dividing the juice of your links.
To redirect all traffic:
redirect scheme https if !{ ssl_fc }
To redirect a single url (In case of multiple frontend/backend)
redirect scheme https if { hdr(Host) -i www.mydomain.com } !{ ssl_fc }
According to http://parsnips.net/haproxy-http-to-https-redirect/ it should be as easy as configuring your haproxy.cfg to contain the follow.
#--------------------------------------------------------------------- # Redirect to secured #--------------------------------------------------------------------- frontend unsecured *:80 redirect location https://foo.bar.com #--------------------------------------------------------------------- # frontend secured #--------------------------------------------------------------------- frontend secured *:443 mode tcp default_backend app #--------------------------------------------------------------------- # round robin balancing between the various backends #--------------------------------------------------------------------- backend app mode tcp balance roundrobin server app1 127.0.0.1:5001 check server app2 127.0.0.1:5002 check server app3 127.0.0.1:5003 check server app4 127.0.0.1:5004 check A slight variation of user2966600's solution...
To redirect all except a single URL (In case of multiple frontend/backend):
redirect scheme https if !{ hdr(Host) -i www.mydomain.com } !{ ssl_fc } The best guaranteed way to redirect everything http to https is:
frontend http-in bind *:80 mode http redirect scheme https code 301 This is a little fancier using ‘code 301′, but might as well let the client know it’s permanent. The ‘mode http’ part is not essential with default configuration, but can’t hurt. If you have mode tcp in defaults section (like I did), then it’s necessary.
Like Jay Taylor said, HAProxy 1.5-dev has the redirect scheme configuration directive, which accomplishes exactly what you need.
However, if you are unable to use 1.5, and if you're up for compiling HAProxy from source, I backported the redirect scheme functionality so it works in 1.4. You can get the patch here: http://marc.info/?l=haproxy&m=138456233430692&w=2
frontend unsecured *:80 mode http redirect location https://foo.bar.com If you want to rewrite the url, you have to change your site virtualhost adding this lines:
### Enabling mod_rewrite Options FollowSymLinks RewriteEngine on ### Rewrite http:// => https:// RewriteCond %{SERVER_PORT} 80$ RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,NC,L] But, if you want to redirect all your requests on the port 80 to the port 443 of the web servers behind the proxy, you can try this example conf on your haproxy.cfg:
########## # Global # ########## global maxconn 100 spread-checks 50 daemon nbproc 4 ############ # Defaults # ############ defaults maxconn 100 log global mode http option dontlognull retries 3 contimeout 60000 clitimeout 60000 srvtimeout 60000 ##################### # Frontend: HTTP-IN # ##################### frontend http-in bind *:80 option logasap option httplog option httpclose log global default_backend sslwebserver ######################### # Backend: SSLWEBSERVER # ######################### backend sslwebserver option httplog option forwardfor option abortonclose log global balance roundrobin # Server List server sslws01 webserver01:443 check server sslws02 webserver02:443 check server sslws03 webserver03:443 check I hope this help you
Why don't you use ACL's to distinguish traffic? on top of my head:
acl go_sslwebserver path bar use_backend sslwebserver if go_sslwebserver This goes on top of what Matthew Brown answered.
See the ha docs , search for things like hdr_dom and below to find more ACL options. There are plenty of choices.
Add this into the HAProxy frontend config:
acl http ssl_fc,not http-request redirect scheme https if http