Re: Enforcing SSL for certain pages only, and no SSL for the rest

From: Willy Tarreau <>
Date: Fri, 26 Jun 2009 03:28:38 +0200

On Mon, Jun 15, 2009 at 11:25:24AM -0500, Jeremy wrote:
> We have a client requesting something that I'm trying to wrap my head
> around.
> The easy part of the request is, they have a list of certain subdirectories
> on their website which they want to be SSL only. Anywhere else on the site
> should not use SSL. I think I get how to enforce that using ACLs, i.e.
> acl ssl-traffic src
> acl ssl-folder1 url_dir folder1
> acl ssl-folder1 url_dir folder2
> block if (ssl-folder1 or ssl-folder2) and !ssl-traffic # can you use (
> )'s like this?
> block if ssl-traffic and !ssl-folder1 and !ssl-folder2

you can't use braces above but you can change the rule that way :

  block if ssl-folder1 !ssl-traffic or or ssl-folder2 !ssl-traffic

Also, it's often better to redirect than to block. If you redirect to the SSL site, your clients will get a better experience if they connect via the HTTP URL.

It could basically look like this :

  redirect prefix if ssl-folder1 !ssl-traffic or or ssl-folder2 !ssl-traffic

> The other part of their request I'm not sure if HAProxy can do. They would
> like all self-referencing links on the website to be written to be
> https://if the link points to one of these "ssl only folders", and any
> other links
> on the site to be plain http:// if they don't reference one of these
> folders. Am I correct in guessing this is something that will need to be
> done manually in their actual website code?

yes you're correct. Haproxy will never change the data. And I really suggest you don't experiment with tools that can do that (I know there's an apache module for that). It's really crappy and will never solve all cases such as links constructed in javascript. It can also sometimes corrupt documents in which you would have expected the links to remain untouched.

In fact, if you perform a redirect as I suggest above, you can keep the HTTP links and the client will not notice it, because it will first try to fetch as HTTP, then get a redirect to the HTTPS URL and try again in HTTPS.

> Or is this something that
> HAProxy can do? I see the rsprep / rsiprep options which seem like the best
> bet but when the docs say they work on the "HTTP response line" I'm not sure
> if that means the full HTML content the web servers are returning, or just
> the HTTP headers or something. It also seems like it would be a lot trickier
> to come up with a regex to do this to cover any relative links.
> If this is actually possible would there be a lot of stress put on the load
> balancer doing this on a high volume site?

It would definitely put some stress (especially if you did that using a regex). And it would not always work very well. Also this requires that you switch to content-encoding chunked because you don't know the content-length anymore since you have to advertise it before sending the data. And processing chunks with regexes is probably not easy at all (eg: when a URL you want to rewrite is itself split in two chunks).

Willy Received on 2009/06/26 03:28

This archive was generated by hypermail 2.2.0 : 2009/06/26 03:30 CEST