SSL offloading / redirecting specific URLs using HAproxy?

Question

I have a working setup using a hardware load balancer that controls redirection in such a fashion that all requests to http://example.com/login/* are redirected (using HTTP 302) to https://example.com/login/* and all requests that are NOT for /login are inversely redirected from HTTPS to HTTP.

This allows me to wrap the login functions and user/password exchange in SSL but otherwise avoid slowing connections with encryption and also solving some problems with embedded content mixed content warnings in some browsers.

The load balance, however, is end of life and I am looking for a replacement solution, preferably in software.

I think HAproxy is going to be able to serve as my load balacing solution, but I have only been able to find configuration examples and documentation for redirecting everything from HTTP to HTTPS, or vice versa.

Is it possible to do what I am proposing using HAproxy or should I look for a different solution?

I realize I will need to use the development version of HAproxy to support SSL at all.

Answer 1

I would suggest you do not use a DEV build for your production environment.

To answer your question, I would assume you're going to use HAProxy version 1.4:

Is it possible to do what I am proposing using HAProxy or should I look for a different solution?

Yes. It is possible but you have to use another software to handle the HTTPS traffic. Stunnel is proven to be good in this. So I'd say the setup is going to be:

• HAProxy 1.4

  # Redirect http://../login to https://../login
  frontend HTTPSRedirect
      bind 1.2.3.4:80
      default_backend AppServers
  
      redirect prefix https://www.domain.com/login if { path_beg -i /login }
  
  # Handler for requests coming from Stunnel4.
  frontend HTTPReceiver
      bind 5.6.7.8:80
      default_backend AppServers
  

• Stunnel4

  [https]
  accept=443
  connect=5.6.7.8:80 (HAProxy IP)