Re: Using stunnel + haproxy for SSL support

From: Willy Tarreau <w#1wt.eu>
Date: Sat, 5 Apr 2008 08:06:34 +0200


Hi,

On Fri, Apr 04, 2008 at 05:54:40PM +0200, Alberto Giménez wrote:
> Hi,
>
> I'm having trouble using stunnel and haproxy to load balance https and
> http traffic. To be honest, I really don't know wether it is stunnel
> or haproxy related so I am going to contact both lists :)
>
> I have set up a haproxy load balancer as http proxy for two backend
> Apache2 webservers. It works fine.
> I also have stunnel on the same LB to add SSL suport (with
> xforwardedfor patch installed). It works fine (mostly).
>
> The issue is related to Apache trailing slash thingie. If I query
> https://haproxy.domain.loc/hatest/ it works perfectly, but if I omit
> the trailing slash: https://haproxy.domain.loc/hatest then following
> things happen:
>
> - Browser makes SSL connection with stunnel on port 443.
> - stunnel deciphers and forwards the request on the haproxy attached
> to LB's port 80.
> - haproxy (now using plain http) forwards to one of the backends.
> - Apache2 located on the backend replies with "301 moved permanently"
> to force the browser to add the trailing slash. As Apache was queried
> by *haproxy in plain http*, the 301 includes http:// on the Location
> header. HTTPS is over from now!
> - The client browser then rewrites the address to
> http://haproxy.domain.loc/hatest/ and SSL is lost forever.
>
> I've been googling and searching the lists but nothing found. There is
> any way to fix this?

I've already encountered such situations in the past with apache. It was slightly different, it was only HTTP, but the redirection was absolute (as in your case) and caused trouble. I *think* it is possible to configure apache not to report an absolute URI, but rather a relative URI ("/hatest/", without http and the address). But I'm not sure how.

Another solution, if your site is https-only, is to configure haproxy to rewrite the Location: response header that way :

        rspirep ^Location:\ http://haproxy.domain.loc/(.*) https://haproxy.domain.loc/\1

Regards,
Willy Received on 2008/04/05 08:06

This archive was generated by hypermail 2.2.0 : 2008/04/05 08:15 CEST