Haproxy ssl redirect handshake failure

5
votes

I have haproxy v1.5.4 working with http & https. I am binding *:80 & :*443 to the same frontend and using the same acls.

I want to create an http -> https redirect 

frontend http-in
    bind *:80
    bind *:443 ssl crt /etc/pki/tls/certs/...

    ...

    acl is_office path_beg /office
    http-request redirect scheme https if !{ ssl_fc } is_office

    use_backend office if is_office

This causes

10.XXXXX:36909 [16/Dec/2015:17:23:07.678] http-in/2: SSL handshake failure

when I access over http (expecting the redirect)

If I access via https then it correctly hits the backend and proxies through to the service over 443. 

backend office
  balance roundrobin
  server backbone-daily 10.XXXXXX:443 ssl check verify none

The self-signed cert validates and works without the redirect. It feels like i'm missing something in the redirect stage.

Any help much appreciated

1
redirectsslhaproxy
First guess is that you have "verify" set for the backend, but are using a self-signed certificate which would fail verification.fideloper
Also, do you purposely have an SSL certificate both on the load balancer and the backend server? (2 separate certificates)fideloper
Hi, the backend has verify none as its a self signed cert. I want to proxy traffic through to apache over SSL. I can terminate SSL for some services but I don't want to for CAS. I assumed that because I can hit the backend successfully when using https the redirect should just workJames Morgan
Have you figured it out?Piotr
Did anyone get a solution to this?swetad90

1 Answers

0
votes

Since we use the HAProxy Plugin with OPNsense, which only has a GUI, I can't give an answer containing working code. However, I can retrace the steps that finally made this work for us.

  1. Set up your mapping rules as usual
  2. Set up a rule HTTP_REDIRECT without any conditions but with the function http-request redirect scheme https
  3. Create two public services, one for port 443 and one for port 80
  4. Set up the public service for 443 with SSL Offloading and your mapping rules
  5. Set up the public service for 80 without SSL Offloading, and only your HTTP_REDIRECT rule

I suspect this would translate to code something like this:

frontend http-in
    bind *:443 ssl crt /etc/pki/tls/certs/...
    use_backend office if is_office

frontend no-ssl-http-in
    bind *:80
    http-request redirect scheme https

Hope this helps anyone who is still looking for a solution.