Use the HAProxy load balancer to redirect users from HTTP to HTTPS automatically.
For decades, our lives have become increasingly dependent on sending and receiving data from across the Internet. Now, with more people working, studying, and hanging with friends remotely, that trend is showing an uptick. Yet, adversaries seem to be grasping at that communication from every direction. From hackers sniffing traffic at WiFi hotspots to governments seeking access to unprecedented levels of browsing data, privacy on the Web is becoming a David versus Goliath scenario.
One way to protect user privacy is by encrypting the communication en route by using the venerated protocol, HTTPS, which is the secure version of HTTP. A case can be made for encrypting every website with HTTPS, regardless of whether a website collects sensitive information or not, to give people a blanket shield of privacy even during their most run-of-the-mill activities. By encrypting communication, website owners can hide what could be considered too much information in the wrong hands: the specific web pages you’ve visited, the terms you’ve searched for, and the details of your browser and operating system.
The problem is that HTTPS is not the default; Unencrypted, visible-to-anyone-with-the-means HTTP is the default: When you type google.com or youtube.com into your browser’s address bar, do you prefix it with HTTPS? If you’re like most people, the answer is no. The result is that you’re sent to the non-secure, HTTP version of the site. (Luckily, these specific websites automatically redirect to HTTPS). If you’re using the Chrome browser, you’ll see a bold warning, “Not secure”, when you visit an unencrypted site.
It’s easy to correct this shortcoming on your own website: Place HAProxy in front of your web servers and configure it to reroute users from HTTP to HTTPS automatically. HAProxy, besides being known as the fastest and most widely used software load balancer, is also heavily relied upon for its ability to terminate SSL, which is to say, it can handle all aspects of HTTPS by acting as a middleman between the client and servers. However, since it can balance any type of TCP traffic, not just HTTP, you must choose whether to enable a secure connection for HTTP.
Enabling HTTPS
HAProxy load balances traffic across a pool of web servers, ensuring that if one of your servers fails, there are others to take over. As traffic passes through, HAProxy terminates SSL, which means that it decrypts the traffic before it is forwarded to the servers and encrypts it again on its way back out to the user.
In the following example, the HAProxy configuration file is set to listen for HTTP traffic on port 80 and HTTPS traffic on port 443:
frontend mywebsite | |
mode http | |
bind :80 | |
bind :443 ssl crt /etc/ssl/certs/ssl.pem | |
default_backend servers |
It’s common to listen for both types of traffic and then forward all HTTP requests to HTTPS, as you’ll see in the next section. In the current example, we’re accepting connections for either, but have not yet added a redirect. HTTPS traffic is decrypted using the file ssl.pem, which contains both the site’s public SSL certificate and its private key. To create it, you’ll cut and paste your X.509 certificate and private key into one file so that it looks like the following snippet (truncated here for space):
-----BEGIN PRIVATE KEY----- | |
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC... | |
-----END PRIVATE KEY----- | |
-----BEGIN CERTIFICATE----- | |
MIIFuzCCA6OgAwIBAgIJAIhmZV5h/C6CMA0GCSqGSIb3DQEBCwU... | |
-----END CERTIFICATE----- |
If you prefer, you can store the certificate and key as separate files on the HAProxy server. HAProxy will look for a file ending with .key in the same directory as the .pem file and load it.
With this setup, the backend servers receive decrypted traffic only and never need to bother with SSL themselves. If you’d like to inform the backend server whether HTTPS was used, you can append an X-Forwarded-Proto request header by adding the http-request set-header
directive:
http-request set-header X-Forwarded-Proto https if { ssl_fc } | |
http-request set-header X-Forwarded-Proto http if !{ ssl_fc } |
You can learn much more about HAProxy’s SSL capabilities in our blog post HAProxy SSL Termination.
Redirect to HTTPS
After you’ve configured HAProxy to terminate SSL, the next step is to redirect all users to HTTPS. This is very simple: add an http-request redirect
line to your frontend
section, as shown here:
frontend mywebsite | |
mode http | |
bind :80 | |
bind :443 ssl crt /etc/ssl/certs/ssl.pem | |
http-request redirect scheme https unless { ssl_fc } | |
default_backend servers |
The http-request redirect
line is quite versatile, allowing you to redirect users to a different domain, such as from oldsite.com to newsite.com, or redirect them to the canonical name of your site, such as from mysite.com to www.mysite.com. For our purposes, we use it to change the protocol from http:// to https:// by including the scheme
parameter, which is set to HTTPS.
Since you don’t want to send users to HTTPS if they’ve already connected that way, which would cause an infinite loop, append unless { ssl_fc }
to the end of the line. The ssl_fc
function returns true if the connection came in over HTTPS. By checking it, you’re stating that you want to redirect the user, but only if they’re not already using a secure connection.
This technique will only work when using mode http
because it redirects at the HTTP layer using a 302 Found HTTP response status, which is known as a temporary redirect. Once you’re fully committed to using HTTPS and have tested it thoroughly on your website, you may wish to instruct the browser to cache the redirect, which will save one round trip between the browser and HAProxy, speeding up page load times. Set the code
parameter to 301 to send a 301 Moved Permanently status back, which browsers can cache:
http-request redirect scheme https code 301 unless { ssl_fc } |
Using mode http
has other benefits too, since it proxies the request at Layer 7; In this mode, you can then use metadata from the decrypted HTTP request, such as cookie values, HTTP headers, and the URL path, to choose the best backend, modify the message, or perform extra validation.
You may also want to set up HSTS to instruct browsers to use HTTPS with your website by default. Read our blog post HAProxy and HTTP Strict Transport Security (HSTS) to learn more.
HTTP to HTTPS Redirect: Conclusion
As concern about the privacy of our online lives continues to grow in relevance, it’s essential that more websites adopt a secure-by-default posture. Automatically redirecting users to HTTPS is one way to protect people from eavesdropping. HAProxy has SSL termination built in, giving you the ability to encrypt communication as it leaves your network and reroutes all users to a secure version of your site. The good news is that enabling this feature is easy!
Want to stay up to date on similar topics? Subscribe to this blog! You can also follow us on Twitter and join the conversation on Slack.
Interested in advanced security and administrative features? HAProxy Enterprise is the world’s fastest and most widely used software load balancer. It powers modern application delivery at any scale and in any environment, providing the utmost performance, observability, and security. Organizations harness its cutting edge features and enterprise suite of add-ons, backed by authoritative expert support and professional services. Ready to learn more? Sign up for a free trial.
Subscribe to our blog. Get the latest release updates, tutorials, and deep-dives from HAProxy experts.