For the last number of years I've been using HAProxy to accept 80/443 connections and pass them back to 2 different internal websites that both listen on 80/443. This has worked well, except it's very rigid since I have HAproxy doing the 301 redirect from 80 to 443. This mainly causes issues when dealing with getting Let's Encrypt certificates since it'll often require the use of port 80 for verification. I've been doing the DNS challenge to get around that, but I want to make this setup less rigid since I'm adding a few other servers to the mix.
First off, no, I don't want to do TLS termination at HAProxy. I like passing the whole connection to my backend. Here are my configs right now:
I think my work really has to be done in the `frontend localhost80` block. I don't know what to change it to though. I still have to have it read the SNI headers to see what the website is. My thoughts were if I changed my port 80 frontend and added proper backends on port 80 I'd solve the issue, but it doesn't appear to work:
So my end game here is, with this change above in the second block, I can still make proper connections on port 443 to my hosts, but any attempt at port 80 seems to go nowhere. My end game is to have my web servers do the 301 redirects, not HAProxy
First off, no, I don't want to do TLS termination at HAProxy. I like passing the whole connection to my backend. Here are my configs right now:
Code:
global
ulimit-n 65536
log 127.0.0.1 local1 info notice
stats socket /tmp/haproxy.stats mode 660 level admin
stats timeout 30s
maxconn 4096
daemon
defaults
log global
mode tcp
option tcplog
option dontlognull
timeout connect 15s
timeout client 15s
timeout server 15s
frontend localhost80
bind *:80
log global
mode http
redirect scheme https code 301 if !{ ssl_fc }
frontend localhost443
bind *:443
option tcplog
mode tcp
tcp-request inspect-delay 15s
tcp-request content accept if { req_ssl_hello_type 1 }
acl is_website11 req_ssl_sni -i website1.example.com
acl is_website21 req_ssl_sni -i website2.example.com
use_backend web1cluster if is_website11
use_backend web2cluster if is_website21
backend web1cluster
mode tcp
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
server is_website1 192.168.10.42:443 check
backend web2cluster
mode tcp
stick-table type binary len 32 size 30k expire 30m
acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2
tcp-request inspect-delay 5s
tcp-request content accept if clienthello
tcp-response content accept if serverhello
stick on payload_lv(43,1) if clienthello
stick store-response payload_lv(43,1) if serverhello
server is_website2 192.168.10.43:443 check
I think my work really has to be done in the `frontend localhost80` block. I don't know what to change it to though. I still have to have it read the SNI headers to see what the website is. My thoughts were if I changed my port 80 frontend and added proper backends on port 80 I'd solve the issue, but it doesn't appear to work:
Code:
frontend localhost80
bind *:80
log global
mode tcp
acl is_website1 hdr(Host) -i website1.example.com
acl is_website2 hdr(Host) -i website2.example.com
use_backend httpwebsite1 if is_website1
use_backend httpwebsite2 if is_website2
backend is_website1
server is_website1 192.168.10.42:80
backend is_website2
server is_website2 192.168.10.43:80
So my end game here is, with this change above in the second block, I can still make proper connections on port 443 to my hosts, but any attempt at port 80 seems to go nowhere. My end game is to have my web servers do the 301 redirects, not HAProxy