Haproxy ssl redirect handshake failure

Question

I have haproxy v1.5.4 working with http & https. I am binding *:80 & :*443 to the same frontend and using the same acls.

I want to create an http -> https redirect

frontend http-in
    bind *:80
    bind *:443 ssl crt /etc/pki/tls/certs/...

    ...

    acl is_office path_beg /office
    http-request redirect scheme https if !{ ssl_fc } is_office

    use_backend office if is_office

This causes

10.XXXXX:36909 [16/Dec/2015:17:23:07.678] http-in/2: SSL handshake failure

when I access over http (expecting the redirect)

If I access via https then it correctly hits the backend and proxies through to the service over 443.

backend office
  balance roundrobin
  server backbone-daily 10.XXXXXX:443 ssl check verify none

The self-signed cert validates and works without the redirect. It feels like i'm missing something in the redirect stage.

Any help much appreciated

Answer 1

Since we use the HAProxy Plugin with OPNsense, which only has a GUI, I can't give an answer containing working code. However, I can retrace the steps that finally made this work for us.

1. Set up your mapping rules as usual
2. Set up a rule HTTP_REDIRECT without any conditions but with the function http-request redirect scheme https
3. Create two public services, one for port 443 and one for port 80
4. Set up the public service for 443 with SSL Offloading and your mapping rules
5. Set up the public service for 80 without SSL Offloading, and only your HTTP_REDIRECT rule

I suspect this would translate to code something like this:

frontend http-in
    bind *:443 ssl crt /etc/pki/tls/certs/...
    use_backend office if is_office

frontend no-ssl-http-in
    bind *:80
    http-request redirect scheme https

Hope this helps anyone who is still looking for a solution.