1

What I want to achive are redirects:

http://test.com --> https://www.test.com
http://www.test.com/ -> https://www.test.com
https://test.com --> https://www.test.com

My current haproxy conf:

global
    log 127.0.0.1 local0 notice
    maxconn 3000
    user haproxy
    group haproxy
    daemon

defaults
    log     global
    mode    http
    option  httplog
    option  dontlognull
    retries 3
    option redispatch
    timeout connect  5000
    timeout client  5000
    timeout server  5000

frontend http-in
    bind *:80
    bind *:443 ssl crt /etc/letsencrypt/live/www.test.com/www.test.com.pem
    mode http
    http-request redirect prefix https://www.%[hdr(host)] code 301 if { hdr(host) -i test.com }   /// THIS DOESN'T WORK

    option forwardfor
    redirect scheme https code 301 if !{ ssl_fc }
    .
    .
    .

My Problems:

https://test.com and http://test.com don't redirect to https://www.test.com

Do I need a ssl cert for https://test.com ? If yes, how do I add this into the haproxy conf?

Jurudocs
  • 339
  • 1
  • 3
  • 11

1 Answers1

4

The redirect command that you have there just redirects from http to https - it does not manipulate any other part of the URL, so the behavior you see is expected.

For the HTTP -> HTTPS redirect, you probably want to use:

http-request redirect prefix https://www.test.com if !{ ssl_fc }

This will cause all redirects to target https://www.test.com regardless of the origin. But it will not solve the https://test.com to https://www.test.com issue as the condition (if !{ ssl_fc }) will not match.

You can probably use ACLs to add the required match, so something like this:

acl http     ssl_fc,not
acl host_www hdr_beg(host) www.
http-request redirect prefix https://www.test.com if http or !host_www
Guss
  • 2,670
  • 5
  • 34
  • 59
  • Thx for your answer. the acl part of your answer causes haproxy to error and not run. Trying to find out details :( – Jurudocs May 18 '20 at 09:30
  • redirect' rule : error in condition: no such ACL : 'http' – Jurudocs May 18 '20 at 09:34
  • And do I need a ssl cert to handle requests for https://test.com ? – Jurudocs May 18 '20 at 09:45
  • 1
    Sorry about the `if http` thing - it also relies on ACL that I didn't put in. You can use your old test, and I will amend my answer. – Guss May 18 '20 at 09:51
  • 1
    Regarding test.com, in order to handle HTTPS requests to the front-end for `test.com`, you'd need either a new `frontend` definition with the correct certificate, or - which is what I do - set up your `www.test.com` certificate with a Subject Alternative Name for `test.com` - Lets Encrypt certbot support this using the `-d` flag (and the correct authorization). – Guss May 18 '20 at 09:53
  • @Jurudocs - if you liked this answer, please accept and up vote. Thanks :-) – Guss May 18 '20 at 09:58
  • thx a lot... I'm just trying to figure out how this works with the Subject Alternative Name – Jurudocs May 18 '20 at 10:02
  • Generally, once you have the certbot configuration running, just add `-d test.com` to the command line, make sure it passes authorization, and the SAN will be added to your live certificate - you shouldn't need to change anything in your haproxy setup. – Guss May 18 '20 at 10:05
  • sorry for my stupidity... the command then would be sudo certbot certonly --standalone -d test.com -d www.test.com would that be right? :-[] – Jurudocs May 18 '20 at 10:12
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/108173/discussion-between-guss-and-jurudocs). – Guss May 18 '20 at 10:24