Problem with rewrites + SSL

From: Saul <saul#extremecloudsolutions.com>
Date: Tue, 18 Oct 2011 14:31:52 -0400


Hello List,

I am having an issue trying to translate some urls with my haproxy setup and Im hoping someone can shed some light.

Information:

 4 apache servers need a reliable LB such as HA. These apache servers are listening on 80,443 however all traffic gets rewritten (with apache re-writes) to https if the request comes on port 80, currently there is just a firewall with dnat.

The apaches are not serving content directly from disk but rather "proxy passing" to backend servers based on the request, this information is only relevant because of the different hostnames that a client will be hitting when connecting to the site.

The problem:

I want to be able to re-write the url at the HA level but I am having some issues trying to do this accurately. I have a front end listening on 80 and a front end listening on 443 https, the latter is set to TCP mode so it will transparently forward requests to the apaches on 443. So what i've done is try to force a redirect to https if the requests comes via 80 to a url, the problem is that because there are many hostnames and calls associated with every requests, I can't simply send all traffic to one URL, I need to be able to just replace the protocol and keep the request intact.

Config: 

##--------------

## HTTP FRONTEND
 
## ----------------

frontend www 10.1.1.1:80
mode http

acl no_ssl dst_port 80
redirect prefix https://sub1.mydomain.com if no_ssl

backend www
mode http
balance roundrobin
stats enable
option httpclose
option forwardfor
option httpchk HEAD /ha.txt HTTP/1.0 

server Apache1 10.1.1.13:80 weight 100 check
server Apache2 10.1.1.14:80 weight 100 check
server Apache3 10.1.1.15:80 weight 100 check
server Apache4 10.1.1.16:80 weight 100 check

##--------------

## HTTPS FRONTEND
 
## ----------------

frontend https-in
mode tcp
bind :443
default_backend bk-https

backend bk-https
mode tcp
balance source
option ssl-hello-chk 

server Apache_ssl1 10.1.1.13:443 weight 100 check
server Apache_ssl2 10.1.1.14:443 weight 100 check
server Apache_ssl3 10.1.1.15:443 weight 100 check
server Apache_ssl4 10.1.1.16:443 weight 100 check

Notes: most of the requests users will make will hit https://sub1.mydomain.com but the problem is that once they get there there are assets that load on sub2.mydomain.com sub3.mydomain.com and because traffic is going through HAproxy and we have that rule to re-write everything to https://sub1.mydomain.com half of the stuff won't load.

Any help is greatly appreciated it and Thank you in advance. Willy You Rock! Received on 2011/10/18 20:31

This archive was generated by hypermail 2.2.0 : 2011/10/18 20:45 CEST