Hi Malcolm,
On Thu, May 14, 2009 at 07:58:53PM +0100, Malcolm Turnbull wrote:
> Has anyone tried getting stunnel to terminate SSL transparently to
> haproxy which then TPROXIES HTTP to the client?
> i.e. source ip transparency for both SSL terminated traffic and normal
> haproxy traffic.
> Or am I asking a bit much?
never tried. However, I wanted to do it differently. If we implement
the transparent source binding to the IP in a request header, we can
do this easily with the x-forwarded-for patch for stunnel. The idea
would be to have stunnel add an x-forwarded-for header giving us the
client's IP, then haproxy would be configured that way :
source 0.0.0.0 usesrc hdr(x-forwarded-for)
and would connect to the server using the IP passed by stunnel (when
found and valid).
Also I don't know if you ever use conntrack on your product, but I
would preferably avoid having multiple entries with same src->dst
values depending on the config (client->stunnel, stunnel->haproxy,
haproxy->server).
Regards,
Willy
