HAproxy: Redirect to https in backend

Question

My workplace has a HAproxy which we use for routing to webservers needing only one public IP. Some of our customers want https some do not.

I would like to enforce https on a per backend basis.

I found this, only it does not say if this config is for frontend or backend. Maybe it will work for both?

http-request redirect location [code ] [] []

or this:

mode http

redirect scheme https if !{ ssl_fc }

So I thought Id put this in some of the backends:

http-request redirect location https://www.somedomain.com [code 301]

Will this work? Our lab env. is tied up so I cannot test it in a timely fashion.

Answer 1

I created my own test backend.. This works:

backend lb_customername
          mode http
          redirect scheme https if !{ ssl_fc }

          balance roundrobin

          server server1 10.0.0.51:80 maxconn 200
          server server2 10.0.0.52:80 maxconn 200

Answer 2

From the HAProxy documentation for redirect scheme

May be used in sections
defaults    no
frontend    yes
listen      yes
backend     yes

So this will work (copied from a working deployment)

backend https_for_all_traffic
    redirect scheme https if !{ ssl_fc }

    server https_only 10.21.5.73:80

Since the !{ ssl_fc } check is essentially just another ACL, you could even combine it with other ACLs and forward only certain traffic:

backend https_for_some_traffic
    # Detect traffic to admin pages
    acl secure    url_beg    /admin

    # Force any HTTP admin traffic to HTTPS
    #  the conditions are combined with an implicit AND
    redirect scheme https if !{ ssl_fc } secure

    server both_http_and_https 10.21.5.73:80