haproxy + nginx: https trailing slashes redirected to http

Question

I have a setup where HTTP(S) traffic goes from HAProxy to nginx.

            HAProxy    nginx
HTTP -----> :80  ----> :9080
HTTPS ----> :443 ----> :9443

I'm having troubles with implicit redirects caused by trailing slashes going from https to http, like this:

$ curl -k -I https://www.example.com/subdir
HTTP/1.1 301 Moved Permanently
Server: nginx/1.2.4
Date: Thu, 04 Oct 2012 12:52:39 GMT
Content-Type: text/html
Content-Length: 184
Location: http://www.example.com/subdir/

The reason obviously is HAProxy working as SSL unwrapper, and nginx sees only http requests. I've tried setting up the X-Forwarded-Proto to https on HAProxy config, but it does nothing.

My nginx setup is as follows:

server {
  listen       127.0.0.1:9443;
  server_name  www.example.com;

  port_in_redirect off;

  root   /var/www/example;
  index  index.html index.htm;
}

And the relevant parts from HAProxy config:

frontend https-in
    bind *:443 ssl crt /etc/example.pem prefer-server-ciphers
    default_backend nginxssl

backend nginxssl
    balance roundrobin
    option forwardfor
    reqadd X-Forwarded-Proto:\ https
    server nginxssl1 127.0.0.1:9443

score 1 · Answer 1 · edited Oct 08 '15 at 15:21

I had the same problem. Nginx is doing some kind of autoredirect in this case but you can catch and modify the default behavior using two location blocks :

# This location will catch the redirect nginx will do automatically
# because we are using an exact match ("=")
location = /subdir {
    return 301 https://yourdomainname/subdir/;
}

# This location will be used for the other requests
location /subdir {
}

Hope this helps

score 0 · Answer 2 · answered Oct 07 '12 at 14:35

Is your backend nginx traffic supposed to be SSL (based on the port being 9443)? If so, then it looks as though your server directive in your nginxssl backend is missing an ssl keyword, so;

server nginxssl1 127.0.0.1:9443 ssl

That will cause haproxy to use SSL for the outbound communication to the nginx server. Or maybe you're doing this deliberately for testing at the mo?

In any case, might also be worth specifying mode HTTP on your frontend and backend as well, as default mode is TCP.

I have 'mode http' set on the defaults part of the HAProxy conf, sorry for it not being visible on the question. Additionally, nginx isn't using SSL, despite the (obviously poorly chosen) port number. — , Oct 08 '12 at 07:01

score -1 · Answer 3 · answered Oct 09 '12 at 21:07

-1

It's not really a matter of http vs https, it's that you expect no trailing slash but if subdir is as its name implies a subdirectory, then the syntax in your request is wrong and nginx fixes it for you so that you can repost a valid request which will constitute a correct base for all subsequent requests made from relative objects found in this directory.

You would have had the same with http to http or https to https I think.

answered Oct 09 '12 at 21:07

Willy Tarreau

3,896
1
20
12

You can see in the `curl` code block that an HTTPS request is made, and a 301 to an HTTP URL is the response. – Adrian Smith Nov 24 '17 at 16:09

haproxy + nginx: https trailing slashes redirected to http

3 Answers3