HAProxy SSL Redirect for HTTP but not WebSockets

Question

I have HAProxy as a load balancer and dynamic redirector to my webserver and websocket server so that they can run over the same port. My web socket server requires SSL temination at ha proxy.

I want to configure HAProxy so that http traffic is redirected to https but websockets work on bot port 80 and 443 (ws and wss). Is this possible?

My current config is:

global
 maxconn 50000
 user root
 group root
 stats socket /tmp/haproxy
 node lb1
 nbproc 1
 #daemon
 #debug

defaults
 log global
 retries 3
 option dontlog-normal
 timeout connect 10000ms
 timeout client 10000ms
 timeout server 10000ms
 timeout tunnel 24h
 maxconn 50000
 mode http
 option http-server-close


backend wwwServers
 mode http
 balance roundrobin
 option httpchk HEAD / HTTP/1.1
 server www1 127.0.0.1:1138 check

backend wsServers
 server ws1 127.0.0.1:1137 check

frontend  secured
 bind :443 ssl crt /cert/cert.pem
 reqadd X-Forwarded-Proto:\ https
 default_backend wwwServers

frontend unsecured
 bind :80
 acl is_websocket hdr(Upgrade) -i WebSocket
 use_backend wsServers if is_websocket
 redirect scheme https if !{ ssl_fc }
 default_backend wwwServers

but this redirects the websocket connection before the upgrade because ha proxy does the following when I run it: a 'redirect' rule placed after a 'use_backend' rule will still be processed before.

Any help would be appreciated.

Thanks,

Answer 1

The solution was as follows:

frontend  secured
    bind :443 ssl crt /path/to/certificate.pem
    reqadd X-Forwarded-Proto:\ https
    acl is_websocket hdr(Upgrade) -i WebSocket
    use_backend wsServers if is_websocket
    default_backend wwwServers
frontend unsecured
    bind :81,:80
    acl is_websocket hdr(Upgrade) -i WebSocket
    redirect scheme https if !{ ssl_fc } !is_websocket
    use_backend wsServers if is_websocket
    default_backend wwwServers

if a non ssl non websocket connection is made it is redirected.