I have a haproxy cluster with two frontends for http and https and many backends which are selected using a domain2backend map.
Some of the backends must be accessed only through HTTPS.
I tried using redirect scheme https code 301 if !{ ssl_fc } in those backends but haproxy seems to be ignoring it. I even tried simply to redirect (without any condition) but haproxy ignores the redirect in the backend section.
Configuration excerpt:
global
maxconn 1024
debug
log localhost local0 debug
tune.ssl.default-dh-param 2048
defaults
balance roundrobin
maxconn 32
log global
monitor-uri /haproxy_test
timeout connect 5000ms
timeout client 50000ms
timeout server 50000ms
frontend http-in
bind *:8080
mode http
option httplog
option forwardfor
use_backend %[req.hdr(host),lower,map_dom(./etc/domain2backend.map)]
frontend https-in
bind *:4443 ssl crt ./etc/ssl
mode http
option httplog
option forwardfor
http-request add-header X-Proto https if { ssl_fc }
use_backend %[req.hdr(host),lower,map_dom(./etc/domain2backend.map)]
backend app1_www
redirect scheme https if !{ ssl_fc }
server localhost:3000 127.0.0.1:3000 check
backend app2_www
redirect scheme https
server localhost:3000 127.0.0.1:3000 check
Neither app1_www nor app2_www redirects work.
I am using HA-Proxy version 1.7.3 2017/02/28
After many attempts and thanks to the helpful community at http://discourse.haproxy.org I found the solution:
It is necessary to specify mode http in the backend to allow the redirections to work.
The variable ssl_fc is available in the backend so it is possible to use the condition if !{ ssl_fc} like in the following code sample:
backend app1_www
mode http
redirect scheme https if !{ ssl_fc }
server localhost:3000 127.0.0.1:3000 check