ssl – HAPROXY : Redirect incoming HTTPS request to HTTP backend


I’m a newbie with HAProxy, and I want to use it to redirects HTTPS incoming requests to my HTTP backends servers.

I know, how it is possible to do it with Nginx, like this :

#SSL for all
server {
    listen 443 ssl ;
    server_name www.example.com;
    absolute_redirect off;
    proxy_redirect off;

    access_log /var/log/nginx/example.com-ssl-access.log;
    error_log /var/log/nginx/example.com-ssl-error.log;

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1 ;
    ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem; 
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem; 


    location / {
        proxy_pass http://bo.example.com;
    }
}

But I don’t know how I can do it with HAProxy ?

I have already tried several things. But each time I only had HTTPS to HTTPS redirects.

Can you help me ?

This is my current HAProxy configuration :

global
    log /dev/log    local0
    log /dev/log    local1 notice
    chroot /var/lib/haproxy
    stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
    stats timeout 5s
    user haproxy
    group haproxy
    daemon

    tune.ssl.default-dh-param 2048

defaults

    log     global

    mode    http
    option  httplog
    option  dontlognull
    timeout connect 5000
    timeout client  50000
    timeout server  50000
    errorfile 400 /etc/haproxy/errors/400.http
    errorfile 403 /etc/haproxy/errors/403.http
    errorfile 408 /etc/haproxy/errors/408.http
    errorfile 500 /etc/haproxy/errors/500.http
    errorfile 502 /etc/haproxy/errors/502.http
    errorfile 503 /etc/haproxy/errors/503.http
    errorfile 504 /etc/haproxy/errors/504.http
    stats enable
    stats hide-version
    stats refresh 30s
    stats uri /hastats

frontend www-http
        # Frontend listen port - 80
    bind *:80
    #Mode de fonctionnement
    mode http

    reqadd X-Forwarded-Proto: http

    # Test URI to see if its a letsencrypt request
    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if letsencrypt-acl

    # Set the default backend
    default_backend www-backend
    # Enable send X-Forwarded-For header
    #option forwardfor
    #option httpchk GET /
    # log reqs http
    #option httplog

    # acl
    #acl prod_acl  hdr(host) prod.local

    #use_backend apache_backend_servers if prod acl


# Define frontend ssl
frontend www-ssl
        bind *:443 ssl crt /etc/haproxy/certs/example.com.pem
        reqadd X-Forwarded-Proto: https
        default_backend www-backend


# define backend

backend www-backend
    mode http
    option httpchk
    option forwardfor except 127.0.0.1

    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    
    redirect scheme http if { hdr(Host) -i example.com } { ssl_fc }
    balance roundrobin
    #Define the backend servers
    server  web1    XXX.XXX.XXX.101  check inter 3s port 80
    server  web2    XXX.XXX.XXX.102  check inter 3s port 80

backend letsencrypt-backend
    server letsencrypt 127.0.0.1:8080