I've got a problem I can't quite figure out and I'm hoping a Fedora list member can give me a hand. These systems are all Ubuntu based, but this doesn't appear to be an OS related issue as much as maybe I'm missing something with the configuration.
--
P.O. Box 3566 ::: Chapel Hill, N.C. 27515 ::: USA
We're needing to scale out one of our websites to multiple web servers. We've already scaled the DB into a 4 node cluster using haproxy with great success, so the plan has been to use haproxy for load balancing the web servers as well. (not the same haproxy, obviously)
The catch is that the existing website is HTTPS, and has been for well over a year. I want to have the load balancer handle the SSL end and use straight HTTP to the web servers to ease application debugging. As I'd never done SSL termination, I essentially copied one of the many template configs on the interwebs.
Here's my problem. When I pull the page from the web server itself (HTTP) it renders fine. When I pull it through the load balancer (HTTPS) it doesn't with an error about mixed content. Based on my research this should make the client see everything as coming from an SSL source even if it doesn't:
frontend lc_www
bind *:80
bind *:443 ssl crt /etc/ssl/private/vif.pem
acl secure dst_port eq 443
redirect scheme https if !{ ssl_fc }
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload
rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure
default_backend lc_webfarm
backend lc_webfarm
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server sb3 10.42.204.182:80
When I disable 'protection' in FF the site renders fine. When I enable SSL on the web servers directly, I do not get this error at all (and have never received this error in the near two years it's been HTTPS only). The website itself is joomla based, but I can't see how that's part of the problem.
Is there something weird with my config? Or can someone begin to tell me where to start debugging. BTW, this is using the latest Haproxy v1.6.
Any ideas?
Mark Haney ::: Senior Systems Engineer
VIF International EducationP.O. Box 3566 ::: Chapel Hill, N.C. 27515 ::: USA
Attachment:
haproxy.cfg
Description: Binary data
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
