SSL Termination on AWS + HAProxy

129 views

Skip to first unread message

Daniel Lumb

unread,

May 13, 2021, 6:51:36 AM5/13/21

to rundeck-discuss

Hi all,

I'm having some issues running Rundeck behind Network Load Balancer and HAProxy.

The setup is:

NLB ---> HAProxy ---> Rundeck

The SSL is terminated on the NLB. I have a DNS record setup that points to the NLB as that's the bit that's public facing. Let's call it rundeck.mydomain.com.

If I navigate to https://rundeck.mydomain.com I receive a 302 and am then sent to the login page URL. The issue is that the location that is returned in the 302 is for http:// and not https://

if I manually change the URL to include the https, then I can hit the login page.

I've followed the documentation for configuring Rundeck behind an SSL terminating proxy and have set the following configuration parameters:

/etc/rundeck/rundeck-properties:

grails.serverURL=https://rundeck.mydomain.com

server.useForwardHeaders=true

This is all that the documentation refers to. From looking at further posts where people have had similar issues, I've also now set these:

/etc/rundeck/framework-properties:

framework.server.name = rundeck.mydomain.com

framework.server.hostname = rundeck.mydomain.com

framework.server.port = 4440

framework.server.url = https://rundeck.mydomain.com

But this also hasn't helped and I still get the 302 sending me to the http://rundeck.mydomain.com/user/login rather than the corect https:// url.

Anyone have any ideas?

Cheers!

Daniel Lumb

unread,

May 13, 2021, 10:49:44 AM5/13/21

to rundeck-discuss

Ok, so I eventually fixed this, it was my fault really, I hadn't realised the implications of terminating SSL on the NLB. In case it helps anyone else:

I had my HAProxy setup in a "typical" way to set the X-Forwarded-Proto as HTTPS if the incoming client request was https. I think the issue was that the request sent by the NLB wasn't https (but it was when it left the client) so the HAProxy was never setting that header for requests it forwarded to the Rundeck server. I took the conditional part of the HAProxy statement out for setting the X-Forwarded-Proto as HTTPS - so it now sets this header regardless.