SSL status check problems with apache behind Pound reverse proxy

Rely on your own HTTP headers, because the built-in ones sometimes get lost.

We have a high-available system, with the following architecture:

  • the main gate: HAProxy on port 80 on the public interface
  • all webservers: nginx on port 80, if the content is not static (regex list)
  • proxied to localhost, port 81, to apache2

But this architecture cannot be used for ssl connections, therefore on port 443, pound is listening on the HA cluster, and forwards every connection to the HA proxy without SSL.

The problem, is that when a request arrives to one of the apache servers, I cannot force SSL connection, because it will slip into an endless loop.

The solution is:

  • add a special HTTP header with pound
  • insted of HTTPS check in apache, check this

pound.conf:

User            "www-data"
Group           "www-data"
LogLevel        0
Alive           2
Control         "/var/run/poundctl.socket"

ListenHTTPS
  Address [IP]
  Port 443
  Cert "/etc/pound/[cert].pem"
  AddHeader "XHTTPS: on"
  Service
    Backend
      Address [IP]
      Port 80
    End
  End
End

The check in apache (inside virtualhost):

RewriteCond %{HTTP:XHTTPS} !on
RewriteRule ^(.*) https://[domain]/$1 [R,L]


Encourage creation!

If this entry helped you, or you simply liked it, leave a tip.