Hello! On Saturday 02 May 2009 19:20:15 Joseph Kondel wrote: > Glad you were able to get haproxy working. I have a similar setup > where I use stunnel in front of haproxy to handle all the ssl. If you > need I can paste in some sample config directives.
How to you tune HAProxy+Stunnel? I have working HAProxy+Stunnel but don't test on production. My config is applied. > > Also be aware that if you care about logs you should patch stunnel to > supper the x-forwarded-for header. Otherwise your app server logs will > be filled with the proxy ip. In addition you might want to patch > haproxy with the conditional redirect patch for 1.13.5. > > I believe both patches can be found on or linked off the haproxy site. I did fix the stunnel-4.20-xforwarded-for.diff for stunnel version 4.22-2 (for debian Lenny distribution) and send it back to author. I believe Willy Tarreau validate and publicate it on HAProxy site soon. stunnel.conf ========================== ; Protocol version (all, SSLv2, SSLv3, TLSv1) sslVersion = SSLv3 ; Some security enhancements for UNIX systems - comment them out on Win32 chroot = /var/lib/stunnel4/ setuid = stunnel4 setgid = stunnel4 ; PID is created inside chroot jail pid = /stunnel4.pid ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 [https78] cert = /etc/stunnel/mobigroup.pem accept = 213.148.6.78:443 connect = 213.148.6.78:80 xforwardedfor = yes ========================== Best regards, Alexey Pechnikov. http://pechnikov.tel/ -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <lists...@listserv.aol.com> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
