I've got a problem I can't quite figure out and I'm hoping a Fedora list
member can give me a hand.  These systems are all Ubuntu based, but this
doesn't appear to be an OS related issue as much as maybe I'm missing
something with the configuration.

We're needing to scale out one of our websites to multiple web servers.
We've already scaled the DB into a 4 node cluster using haproxy with great
success, so the plan has been to use haproxy for load balancing the web
servers as well.  (not the same haproxy, obviously)

The catch is that the existing website is HTTPS, and has been for well over
a year.  I want to have the load balancer handle the SSL end and use
straight HTTP to the web servers to ease application debugging.  As I'd
never done SSL termination, I essentially copied one of the many template
configs on the interwebs.

Here's my problem.  When I pull the page from the web server itself (HTTP)
it renders fine.  When I pull it through the load balancer (HTTPS) it
doesn't with an error about mixed content.  Based on my research this
should make the client see everything as coming from an SSL source even if
it doesn't:

frontend lc_www
bind *:80
bind *:443 ssl crt /etc/ssl/private/vif.pem
acl secure dst_port eq 443
redirect scheme https if !{ ssl_fc }
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\
preload
rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
default_backend lc_webfarm

backend lc_webfarm
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }

server sb3 10.42.204.182:80

When I disable 'protection' in FF the site renders fine.  When I enable SSL
on the web servers directly, I do not get this error at all (and have never
received this error in the near two years it's been HTTPS only).  The
website itself is joomla based, but I can't see how that's part of the
problem.

Is there something weird with my config?  Or can someone begin to tell me
where to start debugging.  BTW, this is using the latest Haproxy v1.6.

Any ideas?

-- 

Mark Haney ::: Senior Systems Engineer
*VIF* International Education
P.O. Box 3566 ::: Chapel Hill, N.C. 27515 ::: USA
919-265-5006 office

Global learning for all.
www.vifprogram.com
<http://www.vifprogram.com/?utm_source=signature&utm_medium=email&utm_campaign=VIF>
Find VIF on Facebook <http://facebook.com/VIFInternationalEducation> |
Twitter <https://twitter.com/vifglobaled> | LinkedIn
<http://www.linkedin.com/company/vif-international-education>

Recognized as a ‘Best for the World’
<http://bestfortheworld.bcorporation.net/> B Corp!

Attachment: haproxy.cfg
Description: Binary data

-- 
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org

Reply via email to