Port configuration for OOD behind a web proxy?

We are trying to set up OOD behind HAProxy similar to Putting an entire OOD setup behind a web proxy? but with the public site served on port 443 and communication between the HAProxy servers and OOD servers (backends) on port 80. In general, HAProxy config can handle this (by setting X-Forwarded-Proto to https).

We have tried: in /etc/ood/config/ood_portal.yml, set servername to the hostname of the OOD server, proxy_server to the public name of the site, and comment out ssl block so OOD server will serve on port 80. This partially works, but seems that generated links contain http://<public-site> when they need to contain https://<public-site>. There seem to be multiple places where host mismatches are detected where the conflict is with the protocol, not the hostname.

As a test only, we found that manually editing /etc/httpd/conf.d/ood-portal.conf after it’s generated, and for the ServerName directive inserting https:// before the hostname, resulted in the dashboard being displayed after Shibboleth auth completed (instead of getting a 404/not found error). Obviously, changing the Apache config after it’s generated from OOD config isn’t a solution. Also, while this test allowed display of some pages of the OOD site, it didn’t allow job submission (which seems to have a similar http vs https conflict).

Is there a way to configure OOD to make this work? If so, are there reasons why it would be advisable or not?

Hmmm. I’ll have look more into how those redirects are working.

What if HAProxy just forwarded to an https backend?

Update: We changed communication between HAProxy and OOD servers to port 443 and installed the same SSL certs that were on the proxy on the backends. I wasn’t sure whether using the same certs would work since they only have the public site name, not the backend names. The site is working. Not needing new/different certs means we don’t have scalability concerns about this approach. I am interested in knowing if others have used either https or http for the backend communication and what the choice was based one, if anyone has gotten http to work, or if only https works.