haproxy: T7122: render explicit http configuration to properly bind port 80

If redirect-http-to-https is set we will render a discrete onfiguration in
HAproxy to properly claim port 80 in the system to detect if a service is
alreadey using the port or not.

1 files changed, 14 insertions, 3 deletions

diff --git a/data/templates/load-balancing/haproxy.cfg.j2 b/data/templates/load-balancing/haproxy.cfg.j2
index 70ea5d2b0..2287cb815 100644
--- a/data/templates/load-balancing/haproxy.cfg.j2
+++ b/data/templates/load-balancing/haproxy.cfg.j2
@@ -53,6 +53,20 @@ defaults
 # Frontend
 {% if service is vyos_defined %}
 {%     for front, front_config in service.items() %}
+
+{%         if front_config.redirect_http_to_https is vyos_defined %}
+frontend {{ front }}-http
+    mode http
+{%             if front_config.listen_address is vyos_defined %}
+{%                 for address in front_config.listen_address %}
+    bind {{ address | bracketize_ipv6 }}:80
+{%                 endfor %}
+{%             else %}
+    bind [::]:80 v4v6
+{%             endif %}
+    redirect scheme https code 301 if !{ ssl_fc }
+{%         endif %}
+
 frontend {{ front }}
 {%         set ssl_front = [] %}
 {%         if front_config.ssl.certificate is vyos_defined and front_config.ssl.certificate is iterable %}
@@ -68,9 +82,6 @@ frontend {{ front }}
 {%         else %}
     bind [::]:{{ front_config.port }} v4v6 {{ ssl_directive }} {{ ssl_front | join(' ') }}
 {%         endif %}
-{%         if front_config.redirect_http_to_https is vyos_defined %}
-    http-request redirect scheme https unless { ssl_fc }
-{%         endif %}
 {%         if front_config.logging is vyos_defined %}
 {%             for facility, facility_config in front_config.logging.facility.items() %}
     log /dev/log {{ facility }} {{ facility_config.level }}