I'm using haproxy with stunnel handling SSL (and using the proxy mode to preserve the original IP from haproxy).
I have several acl tests that redirect to different backends depending on the domain, headers, or path.
The problem is that these are identical whether you're coming in via http or https, but I have to duplicate them in the config. Is there any way to reduce the duplication?
Here's a sample config:
global
user haproxy
group haproxy
#etc...
frontend http-in
bind *:80
acl files_path path_beg /files/
acl beta_host hdr_beg(host) -i beta.
use_backend files if files_path
use backend beta_host
default_backend appservers
frontend https-in
bind *:442 accept-proxy
acl files_path path_beg /files/
acl beta_host hdr_beg(host) -i beta.
use_backend files if files_path
use backend beta_host
default_backend appservers
backend appservers
balance roundrobin
option forwardfor
server appserver_1 localhost:8080 weight 1
server appserver_2 192.168.1.101:8080 weight 1
backend files
balance roundrobin
option forwardfor
server file1 192.168.1.102 weight 1
server file2 192.168.1.103 weight 1
backend beta
balance roundrobin
server beta1 192.168.1.104 weight 1
The http-in and https-in have different ports, and the https-in has to sepcify accept-proxy so that stunnel can use the proxy protocol to pass it the original IP of the user. But other than that they are identical, and should always be identical. Is there any way to reduce this duplication? (haproxy 1.5-dev)
you could simply bind one http in frontend to both.
frontend http-in
bind *:80
bind 0.0.0.0:443 transparent