HAProxy & Nginx SSL redirect issues

by vietnguyen09   Last Updated December 06, 2018 15:00 PM

I have 2 websites, websitea.com and websiteb.com, these are hosted on two servers 10.0.0.8 and 10.0.0.12 for load balancer and I try to made it work with both HTTP,HTTPS protocol with this config.

HTTPS is working fine for https://websitea.com, but https://websiteb.com always redirect to https://websitea.com even I do not config redirect anywhere. Please point me where I wrong and what should I do for fix this.

global
    ...
    tune.ssl.default-dh-param 2048

defaults
    ....

listen stats :4444
    ...

frontend http-web
    bind *:80
    default_backend     http-in

#---------------------------------------------------------------------
# round robin balancing between the various backends
#---------------------------------------------------------------------
backend http-in
    redirect scheme https if !{ ssl_fc }
    cookie      SERVERID insert indirect nocache
    option      forwardfor header X-Real-IP
    option      http-server-close
    option      httplog
    balance     roundrobin
    server      web01 10.0.0.8:80 check
    server      web02 10.0.0.12:80 check

frontend https-web
    bind *:443 ssl crt /etc/haproxy/ssl/websitea.pem crt /etc/haproxy/ssl/websiteb.pem
    mode http
    default_backend https-in

backend https-in
    mode http
    balance roundrobin
    stick-table type ip size 200k expire 30m
    stick on src
    default-server inter 1s
    server  web01 10.0.0.8:443 check ssl verify none
    server  web02 10.0.0.12:443 check ssl verify none

websitea.conf

This is my NGINX websitea.conf for server 10.0.0.8. In server 10.0.0.12 the main difference is IP Address only.

server {
        listen   10.0.0.8:443 ssl http2;

        server_name websitea.com;

        # SSL
        ssl_certificate /etc/nginx/ssl/websitea-bundle-full.crt;
        ssl_certificate_key /etc/nginx/ssl/websitea-private.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

        # Improve HTTPS performance with session resumption
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;

        # DH parameters
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        # Enable HSTS
        add_header Strict-Transport-Security "max-age=31536000" always;    


        access_log /var/log/nginx/websitea.access.log main_ext;
        error_log /var/log/nginx/websitea.errors.log warn;

        ....
    }

websiteb.conf

server {
        listen   10.0.0.8:443 ssl http2;

        server_name websiteb.com;

        # SSL
        ssl_certificate /etc/nginx/ssl/websiteb-bundle-full.crt;
        ssl_certificate_key /etc/nginx/ssl/websiteb-private.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';

        # Improve HTTPS performance with session resumption
        ssl_session_cache shared:SSL:50m;
        ssl_session_timeout 1d;

        # DH parameters
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;

        # Enable HSTS
        add_header Strict-Transport-Security "max-age=31536000" always;    


        access_log /var/log/nginx/websitea.access.log main_ext;
        error_log /var/log/nginx/websitea.errors.log warn;

        ....
    }
Tags : nginx ssl haproxy


Related Questions


Updated October 16, 2017 14:00 PM

Updated October 08, 2015 18:00 PM

Updated May 07, 2017 18:00 PM

Updated May 17, 2017 17:00 PM