From cafc673ba59f3454608237d34d24712ab8576620 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Mon, 21 Feb 2022 15:04:06 +0100
Subject: [PATCH] haproxy: http -> https by default.

---
 README.md                | 2 +-
 defaults/main.yml        | 1 +
 templates/haproxy.cfg.j2 | 9 +++++++--
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 630d6d9..3c6f1e6 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ docker_swarm_portainer_http_port: '9000'
 docker_swarm_portainer_service_port: '8000'
 
 docker_swarm_haproxy_additional_services: []
-#  - { acl_name: 'service', acl_rule: 'hdr_dom(host) -i service.example.com', service_name: 'service-', service_replica_num: '1', service_port: '9999', service_overlay_network: 'service-network' }
+#  - { acl_name: 'service', acl_rule: 'hdr_dom(host) -i service.example.com', service_name: 'service-', service_replica_num: '1', service_port: '9999', service_overlay_network: 'service-network', http_redirect_to_https: True }
 ```
 
 Dependencies
diff --git a/defaults/main.yml b/defaults/main.yml
index 28a654c..dd2efb6 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -33,3 +33,4 @@ docker_swarm_keepalived_floating_ip: '127.0.0.1/8'
 docker_swarm_keepalived_instance_name: 'VI_HAPROXY_1'
 docker_swarm_haproxy_loglevel: '{{ haproxy_loglevel }}'
 docker_swarm_haproxy_http2_enabled: True
+docker_swarm_haproxy_backends_redirect_to_https: True
diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2
index 3459bbf..4693505 100644
--- a/templates/haproxy.cfg.j2
+++ b/templates/haproxy.cfg.j2
@@ -81,7 +81,6 @@ frontend http
     mode http
     option http-keep-alive
     option forwardfor
-    http-request add-header X-Forwarded-Proto https
     # HSTS (63072000 seconds)
     http-response set-header Strict-Transport-Security max-age=63072000
 {% if docker_swarm_cluster_portainer_install %}
@@ -100,7 +99,6 @@ frontend http
 {% endif %}
 {% endif %}
 {% endfor %}
-    redirect scheme https code 301 if !{ ssl_fc }
 {% if docker_swarm_cluster_portainer_install %}
     use_backend portainer_bck if portainer_srv
 {% endif %}
@@ -202,6 +200,8 @@ backend portainer_bck
     http-check send meth HEAD uri / ver HTTP/1.1 hdr Host localhost
     http-check expect rstatus (2|3)[0-9][0-9]
     balance roundrobin
+    http-request set-header X-Forwarded-Proto https if { ssl_fc }
+    http-request redirect scheme https code 301 unless { ssl_fc }
     server-template portainer- 1 portainer_portainer:{{ docker_swarm_portainer_http_port }} check resolvers docker init-addr libc,none
 {% endif %}
 
@@ -228,6 +228,11 @@ backend {{ srv.acl_name }}_bck
     stick on src
     stick-table {{ srv.stick_table }} peers mypeers
 {% endif %}
+{% endif %}
+{% if srv.http_redirect_to_https %}
+    http-request set-header X-Forwarded-Proto https if { ssl_fc }
+    http-request redirect scheme https code 301 unless { ssl_fc }
+{% endif %}
 {% endif %}
     server-template {{ srv.service_name }}- {{ srv.service_replica_num }} {{ srv.stack_name }}_{{ srv.service_name }}:{{ srv.service_port }} {{ srv.backend_options | default('') }} {% if srv.http_check_enabled is defined and srv.http_check_enabled %}check {{ srv.check_options | default('') }}{% endif %} resolvers docker init-addr libc,none