Force https HAProxy cartridge in openshift and enabled only for specific urls patterns

Question

I have openshift scalable play application my problem that I was unable to force https and I want only to serve URLs that start with /portal or /api

So if I hit something like https://www.example.com I don't want haproxy to care about it because I have already a WordPress serving the main website, but if I hit 'https://www.example.com/api' then HAProxy must be involved and load balancer should work between auto-scaled gears.

I tried many answers for the HAProxy config include the documentation: http://cbonte.github.io/haproxy-dconv/1.4/configuration.html#4.2-redirect%20scheme and https://developers.openshift.com/faq/troubleshooting.html#_how_do_i_redirect_traffic_to_https and even https://github.com/openshift/origin/blob/master/images/router/haproxy/conf/haproxy-config.template

something like redirect scheme https if !{ ssl_fc } was not helpful at all.

Nothing was helpful, once I add frontend it stop working, and I can't see the log file anywhere inside my application gear.

How I can do this?

The following is my haproxy.cfg

defaults
    mode                    http
    log                     global
    option                  httplog
    option                  dontlognull
    option http-server-close
    #option forwardfor       except 127.0.0.0/8
    option                  redispatch
    retries                 3
    timeout http-request    10s
    timeout queue           1m
    timeout connect         10s
    timeout client          1m
    timeout server          1m
    timeout http-keep-alive 10s
    timeout check           10s
    maxconn                 128

listen stats 127.9.3.131:8080
    mode http
    stats enable
    stats uri /

listen express 127.9.3.130:8080

    cookie GEAR insert indirect nocache
    option httpchk GET /portal
    http-check expect rstatus 2..|3..|401

    balance leastconn
    server local-gear 127.9.3.129:8080 check fall 2 rise 3 inter 2000 cookie local-xxxxxxxxxx

Answer 1

I solved the problem by serving specific pattern, but not https, the problem with https is the version of HAProxy that used in Openshift Cloud v2 is too way old, https not supported in old version that they have, and even the later patches for version 1.4 are not applied, the version of Openshift's HAProxy is: HAProxy version 1.4.22, released 2012/08/09! SERIOUSLY! the latest minor version is 1.4.27 was enough to solve this as I see in the documentation of HAProxy.

So to force HTTPS, I made this step from my application instead of HAProxy.

Anyway, for serving specific patterns (in my example here, I serve for /api and /portal only) the config file changed to something like the following code, please note, I removed the listen and used backend and frontend instead:

frontend express
    acl api path_beg -i /api
    acl portal path_beg -i /portal
    bind 127.9.3.130:8080
    use_backend servers if api
    use_backend servers if portal
    default_backend website
    cookie GEAR insert indirect nocache

backend servers
    option httpchk GET /portal
    http-check expect rstatus 2..|3..|401
    balance leastconn
    server local-gear 127.9.3.130:8080 check fall 2 rise 3 inter 2000 cookie local-xxxxxxxxxx

backend website
    balance leastconn
    server webserver DOMAIN_IP

Please be aware of the following:

• Always backup old config file before changing it.
• Use the local IP that provided in the original config file, copy/paste the code above for sure will not work, also be sure to replace xxxxxxxxxx with your gear id that provided in the original config file.

P.S: Openshift online v2 is deprecated and it will stop accepting any new accounts too from next August, the v3 should be better but until now it is still a "preview" not publicly available yet.