Hi,
I'm having trouble using stunnel and haproxy to load balance https and http traffic. To be honest, I really don't know wether it is stunnel or haproxy related so I am going to contact both lists :)
I have set up a haproxy load balancer as http proxy for two backend Apache2 webservers. It works fine. I also have stunnel on the same LB to add SSL suport (with xforwardedfor patch installed). It works fine (mostly).
The issue is related to Apache trailing slash thingie. If I query https://haproxy.domain.loc/hatest/ it works perfectly, but if I omit the trailing slash: https://haproxy.domain.loc/hatest then following things happen:
- Browser makes SSL connection with stunnel on port 443. - stunnel deciphers and forwards the request on the haproxy attached to LB's port 80. - haproxy (now using plain http) forwards to one of the backends. - Apache2 located on the backend replies with "301 moved permanently" to force the browser to add the trailing slash. As Apache was queried by *haproxy in plain http*, the 301 includes http:// on the Location header. HTTPS is over from now! - The client browser then rewrites the address to http://haproxy.domain.loc/hatest/ and SSL is lost forever.
I've been googling and searching the lists but nothing found, just this old message:
http://mirt.net/pipermail/stunnel-users/2007-January/001437.html
Has anyone found a workaround for that issue?
Thanks in advance.
At 5:57 PM +0200 4/4/08, Alberto Giménez wrote:
Hi,
I'm having trouble using stunnel and haproxy to load balance https and http traffic. To be honest, I really don't know wether it is stunnel or haproxy related so I am going to contact both lists :)
I have set up a haproxy load balancer as http proxy for two backend Apache2 webservers. It works fine. I also have stunnel on the same LB to add SSL suport (with xforwardedfor patch installed). It works fine (mostly).
The issue is related to Apache trailing slash thingie. If I query https://haproxy.domain.loc/hatest/ it works perfectly, but if I omit the trailing slash: https://haproxy.domain.loc/hatest then following things happen:
- Browser makes SSL connection with stunnel on port 443.
- stunnel deciphers and forwards the request on the haproxy attached
to LB's port 80.
- haproxy (now using plain http) forwards to one of the backends.
- Apache2 located on the backend replies with "301 moved permanently"
to force the browser to add the trailing slash. As Apache was queried by *haproxy in plain http*, the 301 includes http:// on the Location header. HTTPS is over from now!
- The client browser then rewrites the address to
http://haproxy.domain.loc/hatest/ and SSL is lost forever.
I've been googling and searching the lists but nothing found, just this old message:
http://mirt.net/pipermail/stunnel-users/2007-January/001437.html
Has anyone found a workaround for that issue?
Alberto,
Why not process the existence or not of X-Forwarded-For in your index file? Something like
index.php <?php $hdr = http_get_request_headers(); if (!isset($hdr['X-Forwarded-For'])) { $host = $_SERVER['HTTP_HOST']; $uri = rtrim(dirname($_SERVER['PHP_SELF']), '/\\'); header("Location: https://$host$uri/index.php"); } ?>
Tom
-
Alberto Giménez -
Tom Shaw