marathon-lb icon indicating copy to clipboard operation
marathon-lb copied to clipboard

Published 20 hours ago verified publisher icon mesosphere

http to https redirect behind AWS load balancer

Open dyerz opened this issue 7 years ago • 3 comments

I need to redirect traffic for all http traffic to https. I am using an ELB to terminate the SSL.

Since I couldn't find a way to redirect all traffic to https, I started forwarding app-by-app.

First, I used this, but that resulted in infinite redirects. HAPROXY_0_REDIRECT_TO_HTTPS=true

Then I found this suggestion in the wiki. HAPROXY_0_BACKEND_HTTP_OPTIONS= acl is_proxy_https hdr(X-Forwarded-Proto) https\n redirect scheme https unless { ssl_fc } or is_proxy_https\n

However, it does not redirect traffic to https at all.

<IP>:9090/_haproxy_getconfig

backend hello-world_10152
  balance roundrobin
  mode http
  acl is_proxy_https hdr(X-Forwarded-Proto) https\n  redirect scheme https unless { ssl_fc } or is_proxy_https\n  option  httpchk GET /
  timeout check 10s
  server IP_PORT IP:PORT check inter 2s fall 11

(I also tried the approach using both labels.)

Any help would be greatly appreciated.

dyerz avatar May 24 '17 20:05 dyerz

I have this problem too, using the ELB (ALB), I've tried both the stuff in the wiki and the HAPROXY_0_REDIRECT_TO_HTTPS in the app.

Anything else to try to get this to work?

ac-hibbert avatar Nov 09 '17 20:11 ac-hibbert

Okay I managed to get this working okay I think. The issue for me is that my ALB was misconfigured and I had one target group serving listeners on port 80, 443 and 9090 with the target group having the instances as targets on port 80, 443 and 9090. To sort this I know have two target groups. Listeners on port 80 and 443 point to a target group with the hosts with marathon-lb on port 80. Listener on port 9090 points to a target group with the hosts with marathon-lb on port 9090. In the app I needed this

HAPROXY_0_BACKEND_HTTP_OPTIONS= acl is_proxy_https hdr(X-Forwarded-Proto) https\n redirect scheme https unless { ssl_fc } or is_proxy_https\n

And also the other redirect set to false

HAPROXY_0_REDIRECT_TO_HTTPS=false

It then seems to work okay

ac-hibbert avatar Nov 10 '17 20:11 ac-hibbert

Hi @hibbert, could you please share the full configuration on you app? I'm currently facing the same issue when deploying a jenkins service from Mesosphere using the marathon-lb, using the HAPROXY_0_REDIRECT_TO_HTTPS=true results in infinite redirects.

cepefernando avatar Sep 27 '18 21:09 cepefernando