ikurni/haproxy-set-headers-redirect-https

## haproxy-set-headers-redirect-https
### Create SSL file for HTTPS traffic
mkdir /etc/haproxy/ssl
cat /root/wildcard.example.com.crt /root/wildcard.example.com.key >> /root/wildcard.example.com.pem
mv /root/wildcard.example.com.pem /etc/haproxy/ssl/

### Configure HAProxy.cfg to accept HTTPS, redirect HTTPS to HTTP and replace header to targeted URL
vi /etc/haproxy/haproxy.cfg

#---
#---------------------------------------------------------------------
# Example configuration for a possible web application.  See the
# full configuration options online.
#
#   https://www.haproxy.org/download/1.8/doc/configuration.txt
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    # to have these messages end up in /var/log/haproxy.log you will
    # need to:
    #
    # 1) configure syslog to accept network log events.  This is done
    #    by adding the '-r' option to the SYSLOGD_OPTIONS in
    #    /etc/sysconfig/syslog
    #
    # 2) configure local2 events to go to the /var/log/haproxy.log
    #   file. A line like the following can be added to
    #   /etc/sysconfig/syslog
    #
    #local2.*                       /var/log/haproxy.log
    #
    log         127.0.0.1 local2

    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon

    tune.ssl.default-dh-param 2048
    # turn on stats unix socket
    stats socket /var/lib/haproxy/stats

    # utilize system-wide crypto-policies
    ssl-default-bind-ciphers PROFILE=SYSTEM
    ssl-default-server-ciphers PROFILE=SYSTEM

#---------------------------------------------------------------------
# common defaults that all the 'listen' and 'backend' sections will
# use if not designated in their block
#---------------------------------------------------------------------
defaults
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 3000


userlist http_users
  user abc insecure-password abc123!!

frontend main
bind 0.0.0.0:6443
default_backend api6443

backend api6443
balance source
mode tcp
server prdcluster-master1.dc.example.co.id prdcluster-master1.dc.example.co.id:6443 check
server prdcluster-master2.dc.example.co.id prdcluster-master2.dc.example.co.id:6443 check
server prdcluster-master3.dc.example.co.id prdcluster-master3.dc.example.co.id:6443 check


frontend main2
bind 0.0.0.0:22623
default_backend api22623

backend api22623
balance source
mode tcp
server prdcluster-master1.dc.example.co.id prdcluster-master1.dc.example.co.id:22623 check
server prdcluster-master2.dc.example.co.id prdcluster-master2.dc.example.co.id:22623 check
server prdcluster-master3.dc.example.co.id prdcluster-master3.dc.example.co.id:22623 check


frontend main3
bind 0.0.0.0:443 ssl crt /etc/haproxy/ssl/wildcard.example.co.id.pem
mode http
acl ACL_frontend_abc hdr(host) -i frontend.example.co.id
acl ACL_admin_frontend hdr(host) -i admin-frontend.example.co.id
use_backend router80 if ACL_frontend_abc
use_backend 2router80 if ACL_admin_frontend
default_backend router443
stats uri /haproxy?stats

backend router443
balance source
mode http
server prdcluster-infra1.dc.example.co.id prdcluster-infra1.dc.example.co.id:443 check
server prdcluster-infra2.dc.example.co.id prdcluster-infra2.dc.example.co.id:443 check
server prdcluster-infra3.dc.example.co.id prdcluster-infra3.dc.example.co.id:443 check

frontend main4
bind 0.0.0.0:80
mode http
redirect scheme https if !{ ssl_fc }
default_backend router80
stats uri /haproxy?stats

backend router80
balance source
http-request replace-header Host frontend.example.co.id app-pp.apps.prdocp.dc.example.co.id
#http-request replace-header Host frontend.example.co.id blank-page-git-openshift.apps.prdocp.dc.example.co.id
mode http
server prdcluster-infra1.dc.example.co.id prdcluster-infra1.dc.example.co.id:80 check
server prdcluster-infra2.dc.example.co.id prdcluster-infra2.dc.example.co.id:80 check
server prdcluster-infra3.dc.example.co.id prdcluster-infra3.dc.example.co.id:80 check

backend 2router80
balance source
http-request replace-header Host admin-frontend.example.co.id pp-fe-admin.apps.prdocp.dc.example.co.id
mode http
acl auth_ok http_auth(http_users)
#http-request auth unless auth_ok
http-request auth realm admin-frontend.example.co.id if !auth_ok
#reqadd X-Forwarded-Proto:\ https
server prdcluster-infra1.dc.example.co.id prdcluster-infra1.dc.example.co.id:80 check
server prdcluster-infra2.dc.example.co.id prdcluster-infra2.dc.example.co.id:80 check
server prdcluster-infra3.dc.example.co.id prdcluster-infra3.dc.example.co.id:80 check
#---
	### Create SSL file for HTTPS traffic
	mkdir /etc/haproxy/ssl
	cat /root/wildcard.example.com.crt /root/wildcard.example.com.key >> /root/wildcard.example.com.pem
	mv /root/wildcard.example.com.pem /etc/haproxy/ssl/

	### Configure HAProxy.cfg to accept HTTPS, redirect HTTPS to HTTP and replace header to targeted URL
	vi /etc/haproxy/haproxy.cfg

	#---
	#---------------------------------------------------------------------
	# Example configuration for a possible web application. See the
	# full configuration options online.
	#
	# https://www.haproxy.org/download/1.8/doc/configuration.txt
	#
	#---------------------------------------------------------------------

	#---------------------------------------------------------------------
	# Global settings
	#---------------------------------------------------------------------
	global
	# to have these messages end up in /var/log/haproxy.log you will
	# need to:
	#
	# 1) configure syslog to accept network log events. This is done
	# by adding the '-r' option to the SYSLOGD_OPTIONS in
	# /etc/sysconfig/syslog
	#
	# 2) configure local2 events to go to the /var/log/haproxy.log
	# file. A line like the following can be added to
	# /etc/sysconfig/syslog
	#
	#local2.* /var/log/haproxy.log
	#
	log 127.0.0.1 local2

	chroot /var/lib/haproxy
	pidfile /var/run/haproxy.pid
	maxconn 4000
	user haproxy
	group haproxy
	daemon

	tune.ssl.default-dh-param 2048
	# turn on stats unix socket
	stats socket /var/lib/haproxy/stats

	# utilize system-wide crypto-policies
	ssl-default-bind-ciphers PROFILE=SYSTEM
	ssl-default-server-ciphers PROFILE=SYSTEM

	#---------------------------------------------------------------------
	# common defaults that all the 'listen' and 'backend' sections will
	# use if not designated in their block
	#---------------------------------------------------------------------
	defaults
	log global
	option httplog
	option dontlognull
	option http-server-close
	option forwardfor except 127.0.0.0/8
	option redispatch
	retries 3
	timeout http-request 10s
	timeout queue 1m
	timeout connect 10s
	timeout client 1m
	timeout server 1m
	timeout http-keep-alive 10s
	timeout check 10s
	maxconn 3000


	userlist http_users
	user abc insecure-password abc123!!

	frontend main
	bind 0.0.0.0:6443
	default_backend api6443

	backend api6443
	balance source
	mode tcp
	server prdcluster-master1.dc.example.co.id prdcluster-master1.dc.example.co.id:6443 check
	server prdcluster-master2.dc.example.co.id prdcluster-master2.dc.example.co.id:6443 check
	server prdcluster-master3.dc.example.co.id prdcluster-master3.dc.example.co.id:6443 check


	frontend main2
	bind 0.0.0.0:22623
	default_backend api22623

	backend api22623
	balance source
	mode tcp
	server prdcluster-master1.dc.example.co.id prdcluster-master1.dc.example.co.id:22623 check
	server prdcluster-master2.dc.example.co.id prdcluster-master2.dc.example.co.id:22623 check
	server prdcluster-master3.dc.example.co.id prdcluster-master3.dc.example.co.id:22623 check


	frontend main3
	bind 0.0.0.0:443 ssl crt /etc/haproxy/ssl/wildcard.example.co.id.pem
	mode http
	acl ACL_frontend_abc hdr(host) -i frontend.example.co.id
	acl ACL_admin_frontend hdr(host) -i admin-frontend.example.co.id
	use_backend router80 if ACL_frontend_abc
	use_backend 2router80 if ACL_admin_frontend
	default_backend router443
	stats uri /haproxy?stats

	backend router443
	balance source
	mode http
	server prdcluster-infra1.dc.example.co.id prdcluster-infra1.dc.example.co.id:443 check
	server prdcluster-infra2.dc.example.co.id prdcluster-infra2.dc.example.co.id:443 check
	server prdcluster-infra3.dc.example.co.id prdcluster-infra3.dc.example.co.id:443 check

	frontend main4
	bind 0.0.0.0:80
	mode http
	redirect scheme https if !{ ssl_fc }
	default_backend router80
	stats uri /haproxy?stats

	backend router80
	balance source
	http-request replace-header Host frontend.example.co.id app-pp.apps.prdocp.dc.example.co.id
	#http-request replace-header Host frontend.example.co.id blank-page-git-openshift.apps.prdocp.dc.example.co.id
	mode http
	server prdcluster-infra1.dc.example.co.id prdcluster-infra1.dc.example.co.id:80 check
	server prdcluster-infra2.dc.example.co.id prdcluster-infra2.dc.example.co.id:80 check
	server prdcluster-infra3.dc.example.co.id prdcluster-infra3.dc.example.co.id:80 check

	backend 2router80
	balance source
	http-request replace-header Host admin-frontend.example.co.id pp-fe-admin.apps.prdocp.dc.example.co.id
	mode http
	acl auth_ok http_auth(http_users)
	#http-request auth unless auth_ok
	http-request auth realm admin-frontend.example.co.id if !auth_ok
	#reqadd X-Forwarded-Proto:\ https
	server prdcluster-infra1.dc.example.co.id prdcluster-infra1.dc.example.co.id:80 check
	server prdcluster-infra2.dc.example.co.id prdcluster-infra2.dc.example.co.id:80 check
	server prdcluster-infra3.dc.example.co.id prdcluster-infra3.dc.example.co.id:80 check
	#---