How do you redirect HTTP to HTTPS with HAProxy?

[Taomyn]

I'd like to set HAProxy to redirect web requests for HTTP to HTTPS, but I can't figure out how to do it? I can't get the web server to perform this itself because I require it to accept port 80 requests from HAProxy when it gets HTTPS connections.

I have to do it this way now because of my other issue where HAProxy is not working with SNI on my IIS server, otherwise I would leave HTTPS to connect via HTTPS and then get IIS to redirect HTTP to HTTPS itself (which is how I had it working until I needed to switch to Let's Encrypt certificates).

[fraenki]

I'd like to set HAProxy to redirect web requests for HTTP to HTTPS, but I can't figure out how to do it?

You need to create an ACL for this. In the current release of our HAProxy plugin it is already possible to select "Traffic is ssl" as ACL expression, but this is quite unreliable.

The next release of our HAProxy plugin (1.14) will provide the new expression "SSL/TLS connection established" to detect reliably wether it's a SSL connection or not. (https://github.com/opnsense/plugins/pull/110)

When HAProxy plugin version 1.14 is released you'll be able to configure HTTP-to-HTTPS redirects like this:
- create new ACL, choose expression "SSL/TLS connection established" (tick the "Negate condition" checkbox)
- create new ACTION, choose your new ACL, select action "http-request redirect", add to "Set value": scheme https code 301
- add the new action to your HTTP frontend (note that this will NOT work in TCP mode)

See the attached screenshots for an example.

A little bit complicated for a simple redirect, but I think this is the price one has to pay for the great flexibility that HAProxy has to offer.


Regards
- Frank

[Taomyn]

Excellent, look forward to its release, and I agree a small price to pay for better features - it can't always be simple ;-)

[tmaniac]

So it's still a bit unclear to me.
I have a few websites set up in HAProxy and i want to force a few of them to HTTPS.

So how can i configure this for a specific website? (and not all HTTP traffic)

[alexschomb]

I'd like to set HAProxy to redirect web requests for HTTP to HTTPS, but I can't figure out how to do it?

You need to create an ACL for this. In the current release of our HAProxy plugin it is already possible to select "Traffic is ssl" as ACL expression, but this is quite unreliable.

The next release of our HAProxy plugin (1.14) will provide the new expression "SSL/TLS connection established" to detect reliably wether it's a SSL connection or not. (https://github.com/opnsense/plugins/pull/110)

When HAProxy plugin version 1.14 is released you'll be able to configure HTTP-to-HTTPS redirects like this:
- create new ACL, choose expression "SSL/TLS connection established" (tick the "Negate condition" checkbox)
- create new ACTION, choose your new ACL, select action "http-request redirect", add to "Set value": scheme https code 301
- add the new action to your HTTP frontend (note that this will NOT work in TCP mode)

See the attached screenshots for an example.

A little bit complicated for a simple redirect, but I think this is the price one has to pay for the great flexibility that HAProxy has to offer.


Regards
- Frank

Hello Frank,

thanks for your how-to. Unfortunately it doesn't seem to work in my setup. I followed every of your steps, but when I curl the IP HAproxy is listening on (obviously I set the frontend to listen both to port 80 AND 443: 0.0.0.0:80 0.0.0.0:443) I just receive: "curl: (52) Empty reply from server"

HTTPs is working fine and the port in the firewall is open as well. I also disabled all let's encrypt rules in HAproxy to prevent any problems. Still I'd like to use Let's Encrypt as well, how would I do that? Both frontends would be listening on the same port 80 for the same IP. I suppose that is no problem?

Best regards and thanks for your work,

Alex

[alexschomb]

Sorry, I got it working on my own.

One important step for this was to create a separate frontend for all port 80 requests (0.0.0.0:80) and disable the default "letsencrypt" frontend using the same port. I set the new frontend to have no default backend and added the "redirect_to_https" and "redirect_acme_challenges" actions (ACL). I also enabled "X-Forwarded-For" although I don't know whether I really need that for the HTTP frontend with 301 redirects.

In a second step I copied the "find_acme_challenge" ACL, negated the condition and named it "not_acme_challenge". I added that new ACL to the "redirect_to_https" action (ACL) and made sure that the logical operator was set to "AND [default]". I also set the "rediret_to_https" action (ACL) to use my usual "webservers" backend that I use with the HTTPS frontend as well.

Hope that helps others as well.

P.S.: I read that v2.0 of HAproxy plugin be released soon and there is going to be a major overhaul of the UI. This tutorial might not be applicable to future versions.