Re: Force HTTP to HTTPS

From: Willy Tarreau <w#1wt.eu>
Date: Sat, 7 Jun 2008 11:15:14 +0200


Hi guys,

On Wed, Jun 04, 2008 at 11:32:48PM +0200, Aleksandar Lazic wrote:
> On Die 03.06.2008 12:26, Leo Catalinas wrote:
> >(answers inline at the end)
> >
> >Aleksandar Lazic escribió:
> >>Hi,
> >>
> >>On Fre 30.05.2008 08:33, Leo Catalinas wrote:
> >
> >>>if requests contains domain "www.example.com" and url_path
> >>>"/hireforms/" then replace "^http://" with "https://".
> >>
> >>[snipp]
> >>
> >>>I think it shouldn't be complicated but I spent some time playing
> >>>with reqirep and rspirep and I didn't achieve the purpose.
> >>>
> >>
> >>acl https_header domain www.example.com and url /hireforms/
> >>
> >>use_backend https if https_header
> >>use_backend https if !https_header
> >>
> >>backend https
> >>.
> >>.
> >>.
> >>reqrep ...
> >success
> >
> >>
> >>backend http
> >>.
> >>.
> >>.
> >to redirect the browser. All the servers belongs to the same backend,
> >and I'd prefer not to create separated backends for the two
> >things. Also, all SSL work is done in the haproxy host by Stunnel.
> >
> >>
> >>please take a look into the configuration.txt for the right syntax ;-)
> >>
> >>I'am now in hurry but if you can wait I can try to write the full acl in
> >>the next week ;-)
> >
> >Thanks!
>
> I would start with this.
>
> ###
> acl dom url_dom www.example.com
> acl secure_path path_beg /hireforms/

From what I understood of Leo's needs, it will not work, because you're looking for the domain in the URI, but it isn't. You may find it in the Host header though.

> use_backend https_add if dom and secure_path
>
> default_backend http
>
> backend https_add
> reqirep (http)(.*) \1s\2
> reqsetbe http

For the same reason it will not work since there is no "http:" in the URI. At Exosec, we've developped a patch which I still have to merge, to perform a redirection when an ACL matches a condition. IIRC, we can currently either reuse the URI and insert a prefix in front of it ("https://xxx") or redirect to an absolute URI ("http://xxx/yyy/zzz"). I think this is what Leo is looking for. I think I will merge it this week-end.

Cheers,
Willy Received on 2008/06/07 11:15

This archive was generated by hypermail 2.2.0 : 2008/06/07 11:30 CEST